The DMARC pct Tag Explained: How to Gradually Roll Out Enforcement
Learn what the DMARC pct tag does, how email receivers interpret it, and how to use gradual rollout percentages to safely enforce your DMARC policy.
The pct tag is one of the most useful — and most misunderstood — parts of a DMARC record. It lets you apply your enforcement policy to only a percentage of failing emails, giving you a controlled way to roll out quarantine or reject without risking all your email at once.
What the pct Tag Does
The pct tag tells receiving mail servers what percentage of messages that fail DMARC should have the policy applied. The rest fall back to the next lower policy level.
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
In this example, 25% of emails that fail DMARC are quarantined (sent to spam). The remaining 75% are treated as if the policy were p=none — delivered normally but reported.
| Policy | pct=25 behavior | pct=100 behavior |
|---|---|---|
| **p=quarantine** | 25% quarantined, 75% delivered | 100% quarantined |
| **p=reject** | 25% rejected, 75% quarantined | 100% rejected |
Notice the fallback behavior for reject: messages not selected for rejection fall back to quarantine, not to none. This is an important detail — even at low pct values, reject still provides meaningful enforcement.
Default is 100
If you omit the pct tag entirely, it defaults to pct=100. Every failing email gets the full policy applied. This is fine once you're confident in your setup, but risky if you're just starting enforcement.
How Receivers Interpret pct
When a receiving server processes an incoming email that fails DMARC, it checks the pct value and makes a random decision for each message. If the policy is p=reject; pct=50, each failing email has roughly a 50% chance of being rejected and a 50% chance of being quarantined.
This means:
- The selection is per-message, not per-sender or per-domain
- Over time, approximately the right percentage of failures will be affected
- Individual messages may or may not have the policy applied on any given delivery
- Aggregate DMARC reports will reflect the actual disposition for each message
Not all email providers implement pct identically. Major providers like Google, Microsoft, and Yahoo handle it correctly, but some smaller receivers may ignore it and apply the full policy regardless. This is rare, but worth knowing.
Practical Rollout Strategy
Here is a tested rollout schedule that balances safety with progress. Each step should run for one to two weeks while you monitor your aggregate reports.
Phase 1: Quarantine Rollout
v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]
Start at 10%. This affects only one in ten failing messages. Check your reports — if legitimate email is being quarantined, fix the authentication issue before continuing.
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
Increase to 25%, then 50%, then remove the pct tag entirely (or set it to 100).
| Week | Record | Effect |
|---|---|---|
| 1-2 | `p=quarantine; pct=10` | 10% of failures quarantined |
| 3-4 | `p=quarantine; pct=25` | 25% of failures quarantined |
| 5-6 | `p=quarantine; pct=50` | 50% of failures quarantined |
| 7-8 | `p=quarantine` | 100% of failures quarantined |
Phase 2: Reject Rollout
Once quarantine is running at 100% with no legitimate failures, begin the same process with reject:
v=DMARC1; p=reject; pct=25; rua=mailto:[email protected]
| Week | Record | Effect |
|---|---|---|
| 9-10 | `p=reject; pct=25` | 25% rejected, 75% quarantined |
| 11-12 | `p=reject; pct=50` | 50% rejected, 50% quarantined |
| 13+ | `p=reject` | 100% rejected — full enforcement |
For more detail on the overall enforcement journey, see DMARC None vs Quarantine vs Reject and the DMARC Enforcement Guide.
Common pct Mistakes
Setting pct=0
A pct=0 value means the policy applies to zero percent of failing messages — effectively making your enforcement policy meaningless. Every failing email is treated as if the policy were one level lower.
# Don't do this — enforcement never kicks in
v=DMARC1; p=reject; pct=0; rua=mailto:[email protected]
If you want monitoring without enforcement, use p=none instead. It communicates the intent clearly and avoids confusion.
Forgetting to Increase pct
This is the most common mistake. You set pct=10 during initial rollout, verify everything looks good, and then never go back to increase it. Months later, 90% of your failing email is still being delivered.
Set a reminder to check your policy every two weeks during rollout. Each check should involve:
- Reviewing your DMARC aggregate reports for legitimate failures
- Confirming no new email services have been added without authentication
- Increasing the pct value if reports are clean
Using pct with p=none
The pct tag has no practical effect when combined with p=none. Since none already means "deliver everything," applying it to a percentage doesn't change anything. Receivers will deliver all messages regardless.
# pct has no effect here — none is already the lowest policy
v=DMARC1; p=none; pct=50; rua=mailto:[email protected]
Setting pct Too High Too Fast
Going from pct=10 to pct=100 in a single jump defeats the purpose of gradual rollout. If a problem exists that only affects certain senders or message types, you might not catch it at 10% but it could affect many messages at 100%. Step through 25%, 50%, and 75% to give yourself checkpoints.
The fo Tag: Better Reporting During Rollout
During enforcement rollout, you want maximum visibility into failures. The fo tag controls when forensic reports are generated:
| fo value | Generates report when |
|---|---|
| `fo=0` (default) | Both SPF and DKIM fail |
| `fo=1` (recommended) | Either SPF or DKIM fails |
| `fo=d` | DKIM fails regardless of alignment |
| `fo=s` | SPF fails regardless of alignment |
Setting fo=1 during your rollout gives you reports on partial failures — cases where SPF passes but DKIM fails, or vice versa. These are exactly the situations you need to catch before increasing your pct value.
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]; fo=1
Note that not all providers send forensic reports, but those that do will give you valuable debugging data during rollout.
Check Your Current pct Setting
Use the free DMARC record checker to see your current policy and pct value:
Need to update your pct value or generate a new DMARC record? DMARC Creator builds records with the right tags for your current rollout phase.
Keep Monitoring Through Every Phase
Each time you change your pct value, you need to watch what happens. The Email Deliverability Suite monitors your records daily and alerts you when dispositions change — so you know immediately if a pct increase is causing problems.
Never miss a DMARC issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring