DMARC glossary

What does the pct tag do in a DMARC record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

The pct tag sets the percentage of failing mail your DMARC policy actually applies to. It's an integer from 0–100, defaulting to 100, and only meaningful with quarantine or reject. pct=25 asks receivers to enforce on roughly a quarter of failing messages and treat the rest one policy level down.

pct at a glance
Tagpct (percentage)
Valid valuesInteger from 0 to 100
DefaultDefaults to 100 when omitted — the policy applies to all failing mail.
Where it goesAfter the policy tags, e.g. v=DMARC1; p=quarantine; pct=50;

How pct works

pct is a rollout-sampling control. When you first move a domain to quarantine or reject, applying the new policy to only a slice of failing mail limits the blast radius if you missed a legitimate sender. Messages outside the sample get the next policy level down: with p=reject; pct=25, roughly 25% of failing mail is rejected and the rest is quarantined. With p=quarantine; pct=25, the rest is treated as none — delivered normally.

Two honest caveats. First, receivers apply pct unevenly — some honor the sampling faithfully, others round it off or ignore it, so the split you get in practice is approximate at best. Second, DMARCbis, the upcoming revision of the DMARC spec, drops pct entirely. Treat it as a temporary ramp during rollout, never as a permanent state.

The failure mode to avoid is the forgotten ramp: a domain that went to p=reject; pct=10 two years ago and never moved. That domain is 90% unenforced while every dashboard reports it as “at reject.”

Correct record vs common mistake

Correct

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com

A deliberate rollout step: half of failing mail is quarantined while you watch the reports, with a plan to reach pct=100.

Common mistake

v=DMARC1; p=reject; pct=10

Left in place, this rejects only ~10% of spoofed mail — the other 90% is merely quarantined. It reads as enforcement but isn't.

Generate your DMARC record

Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.

Used to show the exact host name to publish — the record itself doesn't contain it.

Start at none to observe, then tighten once reports look clean.

Where daily XML summaries are sent. Comma-separate multiple addresses.

Advanced options (sp, alignment, pct, ruf)

Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.

Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.

Same idea for the SPF (Return-Path) domain.

Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.

Per-message failure samples. Rarely sent by large providers; contains message data.

Your DMARC record

Publish this as a TXT record in your DNS.

Host / Name

_dmarc.yourdomain.com

Value (TXT)

v=DMARC1; p=none;

Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.

No rua address set — you'll get no aggregate reports, which means no visibility into who is sending as your domain. Add one before publishing.
p=none is monitoring mode: receivers report but deliver everything, including spoofed mail. It's the right starting point — plan to move to quarantine, then reject, once your reports show all legitimate senders passing.

After you publish

  1. Add the TXT record at your DNS host and allow up to an hour for propagation.
  2. Verify it with the free DMARC checker.
  3. Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.

Troubleshooting pct

IssueLikely causeFix
Spoofed mail still reaching inboxes at p=rejectA pct below 100 is sampling — most failing mail gets the softer fallback treatmentConfirm senders are clean in the reports, then raise pct to 100 or remove the tag
Enforcement percentage doesn't match the pct valueReceivers apply pct unevenly — some honor it, some round, some ignore itTreat pct as approximate; judge rollout progress from aggregate reports, not the tag value
Domain stuck at a low pct for monthsRollout stalled — the ramp step became the permanent stateRe-check reports for unaligned senders, fix them, and finish the ramp to full enforcement

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

A pct below 100 is invisible partial enforcement. Across 50–200 client domains, a handful stuck at pct=10 or pct=25 will pass a “has p=reject” audit while most of their spoofed mail still gets through. Unless you're auditing the full record string per tenant, you won't see it.

Trusted by MSPs

We increased our meetings booked by 21% and slept better at night knowing our emails are now secured
Marc-André CampagnaMarc-André Campagna CEO, gaiia (YC 2021)Read the case study →
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Phased rollout is exactly what Palisade automates: it reads each domain's aggregate reports, confirms legitimate senders are aligned, and ramps enforcement to full reject — so no client domain gets abandoned mid-ramp at pct=25.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

Apply the stated policy to roughly 25% of messages that fail DMARC. The remaining 75% are treated one policy level down — quarantine becomes none, reject becomes quarantine.

No — it has no effect. p=none already takes no action, and there's no level below it to fall back to. pct only matters with quarantine or reject.

It asks receivers to apply the policy to none of the failing mail — effectively monitor-only with the policy still advertised. Some receivers treat it specially, others don't; it's not a reliable configuration to depend on.

Yes — DMARCbis, the upcoming revision of the DMARC standard, drops pct. Use it as a short-lived rollout aid if at all, and finish at pct=100 (or just remove the tag, since 100 is the default).

Related terms

What is DMARC? Email authentication explained