DMARC pct Tag: what it is, Why you need it

What is DMARC Pct (percentage) tag?

A DMARC record contains an optional setting called the pct tag. The percentage of messages from a domain's mail stream that will be examined to determine if they pass authentication is specified by this tag. A pct of 0 indicates that nothing will be checked, whereas a pct of 100 indicates that everything will be checked. The purpose of the PCT tag was to enable domain owners to use DMARC enforcement in a "slow rollout," gradually increasing their trust in the system. For a portion of the mainstream, it was intended to permit domains to switch to a stricter DMARC policy.

They could keep an eye out for issues and complaints with the new configuration while this was going on. If all goes according to plan, once they are certain they have found and fixed every problem, they could expand the size of that subset. For a brief period, the pct tag should be set to less than 100. Furthermore, the definition of the pct tag in the DMARC standard, how most people think it works, and how it has been widely used around the world varies significantly. When the PCT tag is misused, it might lead to more issues than it fixes.

The issue that DMARC pct=0

The pct can be changed by domain owners to any integer between 0 and 100. It is equivalent to having no pct tag at all when set to 100. The policy will automatically apply to all messages, even those that fail authentication, if there is no PCT tag. One minor improvement over having no policy at all is setting the pct tag to 0 (zero).

DMARC recordings are increasingly being observed in the wild under the following conditions: p=quarantine; pct=0. Because of this tag combination, 0% of the domain's message flow will be subject to the quarantine policy. Stated differently, this setting is equivalent to p=none. The quarantine policy's enforcement, which further diminishes its efficacy, is even more concerning.

Be not deceived: "p=quarantine; pct=0" in a DMARC record indicates that enforcement is far away. On the path to enforcement, it might be a helpful first step. But keep in mind that, in terms of its capacity to prevent spoof messages, it is essentially the same as p=none. The same lessons that apply to a p=none setting also apply here. If you want to collect information about your email ecosystem through aggregate reporting, a DMARC record with this setting can be a helpful starting point.

What Makes It Effective?

The primary causes are:

1. Gradual Rollout: To prevent unintentionally blocking valid emails, you may wish to test a more stringent policy (such as reject) on a portion of traffic initially.
2. Testing and Monitoring: It allows you to keep an eye on how your policy modification is influencing email traffic without having an immediate effect. Helpful while you're still fine-tuning your authentication configuration.
3. Reducing Risk: Assists in identifying edge cases or setup errors without strictly enforcing a guideline.

Why is it Important?

When switching from p=none (monitoring mode) to p=reject (the harshest policy), the DMARC pct tag is essential for progressively implementing and enforcing your DMARC policies. A low pct value, such as 0 or 10, is a good place to start when setting DMARC. As you track and examine your aggregate reports, you should progressively raise it. You can spot possible security risks like phishing scams and email spoofing by looking over these dmarc reports and taking the necessary precautions. The pct tag also enables you to monitor the success of your DMARC policies over time, allowing you to make necessary modifications.

The pct tag serves a number of crucial purposes in the deployment of DMARC:

1. Controlled DMARC Policy Rollout: It makes it possible to implement DMARC enforcement gradually, giving enough time for testing, monitoring, and optimization.
2. Delivery Protection: You can implement your DMARC policy gradually and lessen the possible harm to valid email flows by gradually raising the pct tag.
3. Phased Testing: Prior to complete adoption, the pct tag offers a secure means of testing DMARC enforcement for various use cases, identifying alignment problems.

DMARC pct tag application for mailing lists

"p=quarantine; pct=0" makes sense in one use case, but only after you have had enough time to observe and comprehend your mail flow with p=none. In order for mail from domains at enforcement to be delivered when sent through the list, some mailing lists modify their From: headers when they see a domain at p=quarantine or p=reject. For example, this is referred to as "from munging" in mailman. It won't have an effect until you alter your policy.

Therefore, it is reasonable to use: p=quarantine; pct=0. You can track the effects of going to enforcement after this policy is in place.

DMARC reports for this mailstream now go to the mailing list rather than to you, the domain owner, as the mailing list modifies the From: address to be its own. You will no longer be able to see this portion of your mail flow after this modification is made. Even while this will eventually occur when you move to enforcement, identifying the issue using a "p=quarantine; pct=0" configuration is completely incorrect. This problem highlights the importance of starting at p=none and closely monitoring your mail flow by analyzing DMARC reports, which clearly and accurately identify all senders and recipients.

Frequent Asked Questions

1. When the policies is set to zero, does the PCT tag still matter?

No. If the p=none policy is applied, the pct tag is ineffective because it merely monitors and does not impose any action.

2. What happens to the emails that make up the remaining percentage?

The DMARC policies (quarantine or reject) will not impact the remaining percentage.

3. When is the right time to utilize the PCT tag?

Use it while implementing a strategy of incremental enforcement. For instance:

Put p=quarantine and pct=10 at the beginning.

Track outcomes and address alignment and authentication problems.

Increase gradually to pct=100.