pct tag

Understanding the pct tag (percentage tag) in DMARC

pct tag
DMARC Report
Understanding the pct tag (percentage tag) in DMARC
Loading
/

The DMARC record you publish in your domain’s DNS helps the receiving servers know how you want them to handle illegitimate emails sent from your domain. Do you know there exists a way using which you can instruct the receiving server to check a prespecified percentage of emails to see if they are legitimate or not? It can be done easily using the pct tag (percentage tag) in your DMARC record. 

What is the DMARC pct tag?

Pct is the optional tag in DMARC that lets domain owners specify the percentage of emails from their domain’s mail stream that will undergo authentication checks. So, setting the pct tag to 40 means that 40% of outgoing emails will be checked. This helps domain owners gradually move to stricter DMARC enforcement, ensuring minimal instances of false positives.

illegitimate emails

Using this slow and strategic approach, domain owners also monitor the misconfigurations. Let’s say you started with pct=40, then after a month, you might gain the confidence to enforce a stricter level of DMARC. So, you can change it to a higher percentage, for example- pct=60. Once you are confident that there are no misconfigurations and you have the capacity to tolerate a few false positives, then you can move to pct=100. This tag can be used to quarantine or reject emails

However, some people use this tag in a way that defies the purpose of DMARC deployment. They set the percentage tag to 0.

domain's outgoing emails

Why is pct=0 a problem?

You can set the percentage to any integer from 0 to 100, but setting it to 0 is equivalent to no DMARC, and setting it to 100 equals no pct tag in place. If you don’t use the percentage tag, the selected policy is applied to 100% of the outgoing emails

A DMARC record with ‘p=quarantine; pct=0’ means that the quarantine policy is applied to 0% of the domain’s outgoing emails. Essentially, it’s the same as setting ‘p=none,’ so it doesn’t stop spoofed messages. While this might be a step towards enforcement, it doesn’t actually enforce anything and isn’t effective at preventing email spoofing.

email spoofing

Using the pct tag for mailing lists

A few mailing lists rewrite the From: headers for domains whose DMARC policies are set to quarantine or reject. This is done so that messages from such domains can be delivered when sent through the list. This is also called munging

It’s suggested that you set your DMARC record to p=quarantine; pct=0 for such emails. Munging doesn’t come into play for domains with p=none; it only activates when you switch to quarantine or reject. You won’t notice its effects until you start enforcing stricter rules. That’s why we recommend using p=quarantine; pct=0.’

This way, you can safely observe the potential impact of enforcement before fully committing to it.

Start DMARC enforcement today

Moving to the strictest DMARC configurations takes time, experience, and knowledge. You also have to be really efficient at monitoring the DMARC reports, and we know how confusing that can be. So, allow us to help you with this.

Similar Posts