DMARC glossary
What does the pct tag do in a DMARC record?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
The pct tag sets the percentage of failing mail your DMARC policy actually applies to. It's an integer from 0–100, defaulting to 100, and only meaningful with quarantine or reject. pct=25 asks receivers to enforce on roughly a quarter of failing messages and treat the rest one policy level down.
pct at a glance | |
|---|---|
| Tag | pct (percentage) |
| Valid values | Integer from 0 to 100 |
| Default | Defaults to 100 when omitted — the policy applies to all failing mail. |
| Where it goes | After the policy tags, e.g. v=DMARC1; p=quarantine; pct=50; |
How pct works
pct is a rollout-sampling control. When you first move a domain to quarantine or reject, applying the new policy to only a slice of failing mail limits the blast radius if you missed a legitimate sender. Messages outside the sample get the next policy level down: with p=reject; pct=25, roughly 25% of failing mail is rejected and the rest is quarantined. With p=quarantine; pct=25, the rest is treated as none — delivered normally.
Two honest caveats. First, receivers apply pct unevenly — some honor the sampling faithfully, others round it off or ignore it, so the split you get in practice is approximate at best. Second, DMARCbis, the upcoming revision of the DMARC spec, drops pct entirely. Treat it as a temporary ramp during rollout, never as a permanent state.
The failure mode to avoid is the forgotten ramp: a domain that went to p=reject; pct=10 two years ago and never moved. That domain is 90% unenforced while every dashboard reports it as “at reject.”
Correct record vs common mistake
Correct
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.comA deliberate rollout step: half of failing mail is quarantined while you watch the reports, with a plan to reach pct=100.
Common mistake
v=DMARC1; p=reject; pct=10Left in place, this rejects only ~10% of spoofed mail — the other 90% is merely quarantined. It reads as enforcement but isn't.
Generate your DMARC record
Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.
Used to show the exact host name to publish — the record itself doesn't contain it.
Start at none to observe, then tighten once reports look clean.
Where daily XML summaries are sent. Comma-separate multiple addresses.
Advanced options (sp, alignment, pct, ruf)
Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.
Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.
Same idea for the SPF (Return-Path) domain.
Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.
Per-message failure samples. Rarely sent by large providers; contains message data.
Your DMARC record
Publish this as a TXT record in your DNS.
_dmarc.yourdomain.com
v=DMARC1; p=none;
Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.
After you publish
- Add the TXT record at your DNS host and allow up to an hour for propagation.
- Verify it with the free DMARC checker.
- Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.
Troubleshooting pct
| Issue | Likely cause | Fix |
|---|---|---|
| Spoofed mail still reaching inboxes at p=reject | A pct below 100 is sampling — most failing mail gets the softer fallback treatment | Confirm senders are clean in the reports, then raise pct to 100 or remove the tag |
| Enforcement percentage doesn't match the pct value | Receivers apply pct unevenly — some honor it, some round, some ignore it | Treat pct as approximate; judge rollout progress from aggregate reports, not the tag value |
| Domain stuck at a low pct for months | Rollout stalled — the ramp step became the permanent state | Re-check reports for unaligned senders, fix them, and finish the ramp to full enforcement |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
A pct below 100 is invisible partial enforcement. Across 50–200 client domains, a handful stuck at pct=10 or pct=25 will pass a “has p=reject” audit while most of their spoofed mail still gets through. Unless you're auditing the full record string per tenant, you won't see it.
Trusted by MSPs
“We increased our meetings booked by 21% and slept better at night knowing our emails are now secured”
Marc-André Campagna — CEO, gaiia (YC 2021)Read the case study →

































Enforce it — don't just monitor it
Phased rollout is exactly what Palisade automates: it reads each domain's aggregate reports, confirms legitimate senders are aligned, and ramps enforcement to full reject — so no client domain gets abandoned mid-ramp at pct=25.
Free 15-day trial · No credit card · Your own domain free forever (NFR)