Last updated: July 2026
In short: The optional
pct=tag in a DMARC record declares the exact percentage of unauthenticated messages to which the enforcement policy (quarantineorreject) should be applied. It provides a vital safety mechanism for staging risk-free rollouts across enterprise domains.
When an organization transitions from monitoring (p=none) to strict enforcement (p=quarantine or p=reject), applying the policy immediately to 100% of global mail traffic carries inherent risk. If a critical third-party billing platform or CRM tool is still sending unaligned mail, an abrupt transition could cause broad delivery rejections. To mitigate this danger, RFC 7489 introduced the pct= (Percentage) tag.
How the pct= tag operates under RFC 7489
The pct= tag accepts any integer between 0 and 100. If omitted from the published TXT string, DMARC automatically defaults to 100.
According to RFC 7489, the protocol specifies:
pct: (plain-text integer between 0 and 100, inclusive; OPTIONAL; default is 100). Percentage of messages from the Domain Owner's mail stream to which the DMARC policy is to be applied.
The explicit purpose of this parameter under RFC 7489 is enabling incremental enforcement:
The purpose of the "pct" tag is to allow Domain Owners to enact a slow rollout enforcement of the DMARC mechanism.
A DMARC record utilizing percentage throttling looks like this:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@example.com
In this deployment, receiving mail servers apply the quarantine policy to exactly 25% of failing messages. The remaining 75% are treated as if the domain were configured with p=none (they are delivered normally while being recorded in XML aggregate reports).
How verifiers process the unselected percentage
When a message fails DMARC evaluation and falls into the remaining unselected percentage slice (for instance, the remaining 75% when pct=25 is active), receiving gateways apply a deterministic fallback rule:
- Under
p=quarantinewithpct=25: 25% are placed into spam/quarantine, and the remaining 75% receivep=nonetreatment (delivered to the inbox). - Under
p=rejectwithpct=25: 25% are outright rejected (reject), while the remaining 75% step down to the next softer tier (quarantine).
Staging an enterprise rollout
A structured staged deployment plan allows administrators to verify alignment under real-world conditions without causing major outages:
- Phase 1:
p=quarantine; pct=10(Initial enforcement check catching edge cases with minimal impact). - Phase 2:
p=quarantine; pct=50(Broadening coverage once reports show clean alignment). - Phase 3:
p=quarantine(or explicitpct=100— full quarantine enforcement across all traffic). - Phase 4:
p=reject; pct=10(Cautious entry into strict rejection). - Phase 5:
p=reject(Complete protection against exact-domain spoofing).
Verifying your configuration
To check how your published percentage affects incoming mail streams and confirm your TXT record syntax complies with protocol standards, test your domain using the free MXAudit scanner.
To explore further technical concepts and step-by-step setup guides across specific providers, visit the DMARC hub and practical walkthroughs like IONOS DMARC setup.
Further reading
- RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC) (retrieved: July 16, 2026)