pct looks like a comfort knob.
Set p=quarantine; pct=10, wait a bit, then raise it to 25, 50, 100. On paper that sounds controlled and safe.
In production, it is useful but not magical. Some receivers treat pct as a hint, sampling details vary, and policy behavior is not guaranteed to be identical across mailbox providers. So the safest way to use pct is as one part of a rollout plan, not as the rollout plan itself.
If this is the first time seeing the DMARC tags in one place, keep DMARC record tag cookbook open in another tab and come back.
pct actually doespct tells receivers what percentage of DMARC-failing mail should get the policy action from p (or sp for subdomains).
Example:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.comThat means: "for about 25% of failing messages, apply quarantine; for the rest, behave more like monitoring."
Two details that often get missed:
pct does nothing for messages that already pass DMARC.pct does nothing to fix alignment problems. It only changes enforcement share for failures.So if a legitimate sender fails alignment, pct only reduces blast radius; it does not remove risk.
pct is not a universal safety netThis is the part teams discover the hard way.
Even with a low pct, bad outcomes can still happen if a critical sender is misconfigured. Sampling is not necessarily distributed the way you hope (for example by source, campaign, or business unit), and receiver behavior can differ.
Also, the mailbox where leadership notices issues first might belong to a provider that applies policy more aggressively than expected. So "it was only 10%" is not always comforting during an incident review.
Practical framing: use pct to smooth enforcement, but validate sender alignment as if pct=100 could matter tomorrow.
This pattern is intentionally conservative. It works well for mixed environments where mail is sent from multiple SaaS tools, on-prem relays, and one or two legacy apps.
p=none while building sender inventory from aggregate reports.p=quarantine; pct=10 and hold long enough to observe a full business cycle.p=reject after quarantine is stable, optionally repeating staged pct.When "full business cycle" sounds vague, think payroll notices, monthly invoices, support workflows, and any automated system that only sends on certain days.
If you want the broader process context, A (sane) DMARC setup process for busy domains and DMARC setup stage 3 - test & adjust map closely to this approach.
Start (monitoring):
v=DMARC1; p=none; rua=mailto:dmarc@example.comFirst enforcement step:
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.comMid rollout:
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.comFull quarantine:
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.comFinal posture for many domains:
v=DMARC1; p=reject; rua=mailto:dmarc@example.compct increaseKeep this checklist short and operational:
example.comIf one step creates noise, freeze there. Do not keep increasing pct on calendar autopilot.
Behavior differs by ecosystem, so official sender guidance is still useful when triaging odd cases:
pct is a throttle, not a seatbelt.
It helps stage enforcement, but the real safety work is still sender discovery, SPF/DKIM alignment, and careful observation between changes. Teams that treat pct this way usually reach p=reject with fewer surprises and fewer emergency rollbacks.