Implementing a strong DMARC policy is essential for protecting your domain from email spoofing and phishing attacks. DMARC or Domain-based Message Authentication, Reporting and Conformance is a protocol used by domain owners to authenticate their domain names and emails. The DMARC pct tag plays a crucial role in this process by allowing you to gradually enforce your policy and mitigate risks.
This article explains the benefits, use cases, and best practices for implementation of the DMARC pct tag. Let’s get started!
What is the DMARC pct Tag?
The DMARC pct (“percentage”) tag is a part of a DMARC record that specifies the percentage of emails from a domain that will be subjected to the DMARC policy. Users may choose to manually include the DMARC pct tag or omit it. In case it isn’t explicitly mentioned, the DMARC pct tag takes up the default value of 100. which is included to address the percentage of emails that the DMARC policy defined by the domain owner is applied to.
Tags in a DMARC record are DNS-level instructions for the email receiving server. They are the primary components that make up the format or syntax of the DMARC record.
Why do you need the DMARC pct tag?
The pct tag is an often overlooked, but effective way to set up and test your domain’s DMARC policies. Here are some of the key reasons why you might need the DMARC pct tag:
- Gradual Implementation: pct allows for a gradual rollout of your DMARC policy. Instead of applying the policy to 100% of emails immediately, you can start with a smaller percentage, such as 10%, and then increase it over time as you gain confidence in your configuration and the impact on email delivery.
- Risk Mitigation: By applying the policy to a subset of emails, you can mitigate the risk of legitimate emails being rejected or marked as spam due to incorrect DMARC configuration.
- Testing and Tuning: It provides an opportunity to test and tune your email authentication setup. You can analyze the impact on a portion of your emails by monitoring your DMARC reports. You can then identify and resolve issues quickly to ensure that all legitimate emails are correctly authenticated before enforcing the policy more broadly.
Hence, the DMARC pct tag provides a more controlled and flexible approach to improving your domain’s and email’s security.
DMARC pct Use Cases
Example 1: v=DMARC1; p=reject; pct=100; rua=mailto:[email protected];
Explanation: In the DMARC DNS record shown above, the percentage of emails for which the DMARC reject policy is applicable is 100%.
The time that it takes for a domain to go from not using DMARC at all, to using the most restrictive settings is a ramp-up period. This is intended to give domains time to become comfortable with their new settings. For some businesses, this could take a few months. It’s possible for domains to do an instant upgrade, but this is uncommon due to the risk of higher errors or complaints. The pct tag was designed as a way to gradually enforce DMARC policies to cut down on the roll-out period for online businesses. The intent is to be able to deploy it for a smaller batch of emails first before deploying it fully to the whole mail stream like in the case shown below:
Example 2: v=DMARC1; p=reject; pct=50; rua=mailto:[email protected];
Explanation: In this DMARC DNS record, the reject policy for DMARC applies to only 50% of the emails, while the other half of the volume is subjected to a quarantine policy for DMARC, which is the second strictest policy in line.
What will happen if you don’t include a pct tag in your DMARC record?
While creating a DMARC record using a DMARC record generator, you might choose not to define a pct tag and leave that field empty. In this case, the default setting for pct is set to 100, which means that your defined policy will apply to all your emails. Hence, if you want to define a policy for all your emails, a simpler way to go about it would be to leave the pct field blank, like in this example:
v=DMARC1; p=quarantine; rua=mailto:[email protected];
Warning: If you want an enforced policy for DMARC, do not publish a record with pct=0
The logic behind this is simple: if you want to define a reject or quarantine policy in your record, you essentially want the policy to be levied on your outbound emails. Setting your pct to 0 nullifies your effort as your policy is now applicable to zero emails. This is the same as having your policy mode set at p=none.
Note: To ensure maximum protection of your domain against spoofing attacks and stop any chances of your domain being impersonated by attackers, the ideal policy should be DMARC at p=reject; pct=100;
Final Words
Your DMARC journey from start to finish can be time-consuming, and technically challenging. To make things easier and more streamlined, organizations choose PowerDMARC! Our experts assist you with all your email authentication needs with access to an intuitive DMARC analyzer platform.
Shift to DMARC enforcement safely by starting your DMARC journey with PowerDMARC. Take a free DMARC trial today!
- 5 Common DNS Vulnerabilities and How to Protect Your Network - December 24, 2024
- Introducing DNS Timeline and Security Score History - December 10, 2024
- PowerDMARC One-Click Auto DNS Publishing with Entri - December 10, 2024