D

DMARC pct Tag

Learn how the DMARC pct tag controls gradual policy enforcement and how DMARCeye tracks compliance as you move toward full authentication coverage.


What is the DMARC pct Tag?

The DMARC pct tag defined the percentage of failing messages that a domain owner's DMARC policy applied to. It was DMARC's only in-protocol way to roll out enforcement gradually: a record with pct=10 and p=quarantine was meant to tell receivers to quarantine 10% of failing mail and let the rest through. DMARCbis (RFC 9989, published May 2026) removes the pct tag, because receivers applied it inconsistently and it rarely did what operators expected.

Status update: DMARCbis removes the pct tag, but this is not a fire drill. Your existing records stay valid and receivers will not change how they treat your mail overnight. What changes is that a DMARCbis receiver treats any pct<100 as pct=100, so a partial percentage no longer holds anything back. The closest in-spec option is the new t (testing) tag: t=y puts a record in testing mode and downgrades the effective policy one step, so a p=reject record with t=y is treated as p=quarantine, while t=n enforces the stated policy. There is no percentage and no gradient, so DMARCbis does not give staged rollout a true replacement. That problem now sits with the operator.

For example, a record with pct=50 and p=quarantine was supposed to quarantine half of the messages that failed DMARC and deliver the rest. Because receivers honored intermediate values unevenly, the percentage a domain published and the percentage actually applied to its mail were rarely the same number.

How the DMARC pct Tag Worked

A DMARC record example using the pct tag:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; pct=25
 

The intent here was for receivers to reject only 25% of unauthenticated messages so administrators could watch results before moving to full enforcement. In practice, most receivers reliably honored only pct=0 or pct=100, which is why the mechanism was removed.

When combined with aggregate reports, the pct tag was meant to help domain owners measure how policies affected different mail streams. Aggregate reports still do that job. The sampling tag does not.

What to Do If Your Records Still Use pct

  • There is nothing urgent to change. Your DMARC record stays syntactically valid, and receivers will not change your alignment behavior the day the spec lands.
  • Know the new behavior: a DMARCbis receiver treats pct<100 as full enforcement, so a partial percentage no longer softens your policy.
  • If you published a low percentage as a safety margin, plan to reach full alignment before that margin disappears. Use RUA aggregate reports to confirm every legitimate source passes SPF or DKIM.
  • For a supervised trial, t=y is the in-spec option, but treat it as a one-step policy downgrade rather than a percentage.

DMARC pct and DMARCeye

DMARCeye is built for the crossing that pct never handled well: moving from monitoring to enforcement without breaking legitimate mail. It flags unknown senders, shows what would fail under a stricter policy before you apply it, and points out legacy tags like pct so you can retire them on your own schedule.

By correlating authentication results with policy outcomes, DMARCeye keeps each tightening step data-driven and low-risk.

Sign up for a free trial of DMARCeye today and secure your email domain.


To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.


Similar posts

Get notified on new marketing insights

Be the first to know about new insights to build or refine your DMARC policy strategy.