94% of Companies Skip DMARC's Built-in Safety Mechanism

DMARC has a built-in safety mechanism for tightening policy gradually. The mechanism is called staged rollout: apply the new rules to 25% of failing mail this week, 50% next week, 100% the week after. It's the official answer to "how do I roll this out without breaking my legitimate mail." In our Q1 2026 dataset, 94.1% of domains turning on quarantine and 93.5% of domains turning on reject apply policy at 100% from day one, so almost no one uses the safety mechanism. And, as it turns out, the upcoming DMARCbis standard (effectively DMARC 2.0) is about to remove it, probably for this reason.

This article unpacks the staged-rollout finding from DMARCeye's Q1 2026 industry report. The full report, with all 12 chart views and methodology, is below.

What pct Was Supposed to Do

The original DMARC standard (RFC 7489, 2015) included pct= as the safe-rollout knob. The intent: when a domain owner moves from p=none to p=quarantine or p=reject, they could set pct=10 first. Receiving servers would apply the new policy to 10% of failing messages and treat the other 90% as if the domain were still at p=none. If anything broke, you'd see it on a small slice of mail and could roll back before it hurt you.

The mechanism was designed to lower the perceived risk of moving to enforcement. In theory, you could rampup: pct=10, watch reports; pct=25, watch; then pct=50; then pct=100. In practice, almost no one does this.

What the Q1 2026 Numbers Show

For each enforcing domain in our dataset (those at p=quarantine or p=reject), we looked at whether pct= was set and at what value:

• p=quarantine domains: 94.1% at full enforcement (no pct= tag, or pct=100). 1.8% in late-stage rollout (50-99%). 3.0% in mid-stage (10-49%). 1.1% in early-stage (1-9%).
• p=reject domains: 93.5% at full enforcement. 1.0% late-stage. 5.2% mid-stage. 0.3% early-stage.

The 6% who do use staged rollout cluster mostly in the 10-49% range (mid-stage). This is the band where you'd expect to find domains testing a new policy on a meaningful slice of mail before going all-in. The early-stage band (1-9%) is essentially empty: under 1.5% of domains start cautious.

Why So Few Domains Use pct

The Q1 data shows the what, not the why. These are the patterns we see across customers, so treat them as informed guesses:

• Most teams skip the rollout because they're already cautious. The teams that move from p=none to enforcement have usually spent weeks or months reading aggregate reports and authenticating senders. By the time they flip the switch, they're confident the legitimate mail is aligned. pct would slow them down for no benefit.
• Tooling defaults skip pct. Most DMARC monitoring tools walk users from monitoring to enforcement without recommending pct= staging. The default workflow is documentation-first: know your senders, fix the unauthenticated ones, then go to 100%.
• The reasoning gap is real. Setting pct=10 means 90% of failing mail is treated as if the policy doesn't apply. For some teams, that defeats the purpose: if you wanted partial enforcement, you'd stay at p=none. Either you're enforcing or you're not.
• Some receivers apply pct inconsistently. Not all receiving mail servers honor pct= the same way. The standard says "apply policy to pct% of failing messages." Some receivers interpret that strictly, others approximate. The mechanism relies on receiver behavior the sender can't audit.

DMARCbis Is Removing pct Anyway

The forthcoming DMARCbis revision of the standard (in IETF working-group review at the time of the Q1 report) removes the pct= tag entirely. The replacement is a binary t=y testing flag: a domain is either in test mode or it isn't, with no percentage knob.

The reasoning, paraphrased from the working-group discussions: pct= turned out to be a feature most operators didn't use, applied inconsistently by receivers, and complicated to reason about. The binary t=y flag matches actual deployment patterns. If domain owners aren't ramping, the standard shouldn't pretend they are.

If you've been planning to use pct= in a future rollout, the Q1 data plus the DMARCbis direction together say "skip it." The 94% of enforcing domains who jumped straight to 100% will turn out to have made the right call. The standard is changing to match what they did.

What This Means for Your Rollout

If you're at p=none today and thinking about moving to enforcement, the practical path is:

1. Read your aggregate reports for two to four weeks. The point of monitor-only is to see what's sending as your domain. DMARCeye's free plan covers one domain at no cost. Authenticate every legitimate sender for SPF or DKIM alignment, preferably both.
2. Move directly to p=quarantine at 100%. Mail that fails goes to spam, not to /dev/null. Watch reports for another week or two. If you've done step 1 right, the only mail failing is impersonation.
3. Move to p=reject at 100%. Failed mail is refused outright. The shift from quarantine to reject is invisible if you've authenticated cleanly.

Monitoring and report analysis tells you exactly what's authenticated and what isn't. Once you know, you don't need a percentage knob.

Check Your Current Posture

If you don't know what your domain currently publishes, the fastest way to find out is below. Type your domain to see your DMARC record (and SPF and DKIM, if published).

The Practical Takeaway

The Q1 2026 numbers say almost no one ramps DMARC enforcement gradually. The DMARCbis revision says they're right not to. The "safety mechanism" that pct= was supposed to be turned out to be a knob most operators ignored, partly because the right way to roll out enforcement is to not need a percentage knob in the first place. Document your senders. Authenticate them. Flip the switch.