So, you have decided to jump on the DMARC bandwagon? As mail providers like Google and Yahoo have made DMARC a standard practice starting in 2024, many organizations are now recognizing the importance of implementing the email authentication protocol to mitigate the risks of phishing and spoofing and enhance security.
If you’re one of these organizations to embrace DMARC as a part of your cybersecurity strategy but are struggling to determine your DMARC policy or the “pct” tag, you’re at the right place.
In this blog, we will take you through the basics of the DMARC pct (percentage) tag and its relevance in advancing policies.
What is DMARC pct Tag?
Considering how frequent and grave spoofing attacks have become, implementing the DMARC the right way with configurations tailored to your organization’s needs could significantly transform your security strategy. One such configuration employed in your DMARC record is the pct tag.
pct tag or the DMARC percentage tag is used to specify the percentage of email messages that should be subjected to the DMARC policy. By specifying the percentage of emails that should be subjected to email authentication tests lets you monitor and fine-tune the configurations of the DMARC policy without having to impact legitimate email traffic.
The pct value of the DMARC record published in the DNS for your domain can vary between 0 and 100, representing the percentage of messages that would undergo DMARC authentication.
Here’s how the pct tag would appear in the DNS text record:
v=DMARC1; p=quarantine; rua=mailto:info@abc.com; pct=30
Here, the p=quarantine is implemented at 30%, which means that only 30% of the email messages sent from your domain would be sent to spam by the receiver’s mail servers if they fail authentication.
Why is it Important?
Are you wondering why you should even bother defining the pct tag while deploying the DMARC policy when it can be set to pct=0? Or can you simply set the pct tag at 100% at once and avoid the hassle of gradually increasing its percentage?
Image sourced from glockapps.com
Well, the pct tag is not a mandatory standard to follow, but it serves as a valuable tool when it comes to managing the rollout of DMARC policies. Implementing DMARC policies with a percentage tag set as low as 10% or 20% addresses concerns about the legitimacy of emails.
In most cases, to bring down your spam score and ensure enhanced email delivery, it is recommended to rely on a phased approach and gradually move up to employing the ideal DMARC policy, that is, p=reject; pct=100.
This strategic approach allows domain owners to gain insights into legitimate emails, identify loopholes in the DMARC policy, and corrective actions without causing widespread disruptions.
How to Apply the pct Tag for DMARC Policy Progression?
Now that we have established that the process of setting DMARC policy is a gradual one, let’s take a look at the way you can move from p=none to p=quarantine, then p=reject, while maintaining the recommended DMARC compliance rate of 98%.
But before we get into the process, remember that DMARC compliance can only be achieved by subjecting your domains and IP addresses to SPF and DKIM pass or align. So, when tweaking your pct tag, make sure that your domain is properly configured with SPF and DKIM.
Here’s how to transition from p=none to p=reject; pct=100:
Start Small
While you may be tempted to play it safe and enforce p=0, the thing is, setting the pct tag to 0 is as good as having no policy at all. With p=0, it’s basically like keeping your front door open. This means you’re not actively protecting your domain against unauthorized activities and are allowing all emails, regardless of their authentication status to be sent.
So, it is recommended to introduce the pct tag with a low percentage, such as 10% or 20%. Doing this will allow you to monitor a fraction of your emails and transition without making things go haywire. While you’re at it, make sure that you keep a tab on your DMARC reports.
Gradually Increase the Percentage
To keep spoofing attacks at bay and ensure that your legitimate emails land in the recipient’s inbox, the next step is to increase your pct tag numbers. Based on the observed results and your confidence in the DMARC deployment, you can now take the pct percentage from 20% to 50%.
Make Adjustments, if needed
If you notice any problems and there are adjustments required along the way, such as whitelisting legitimate sources or taking other corrective actions, make sure you’re implementing them.
Consider Full Enforcement
Once you are confident in the effectiveness of your DMARC deployment and have addressed any issues, consider setting the pct tag to 100% for full enforcement. After your domain reaches 100% Quarantine, start the entire process again, with “reject” increasing from 10% to 100%.
Maintain DMARC Enforcement
After you have taken the plunge and set the pct tag to 100%, it is now time to monitor the enforcement to ensure a secure email ecosystem and long-term DMARC compliance. To maintain your goal of full enforcement, make sure that you follow best practices, such as periodically checking your SPF records, regularly rotating the DKIM key, evaluating DMARC reports, and checking new sources of legitimate emails.
Conclusion
Struggling with DMARC enforcement for your domain? As you might already know, DIYing DMARC is not a good option when it comes to ensuring comprehensive protection, so it is recommended that you rely on experienced professionals to navigate the intricacies of DMARC enforcement.
At DuoCircle, we recognize the importance of proper DMARC implementation, especially in the face of rising cybersecurity threats. This is why we help generate the correct DMARC records for your business domain, maintain them for you, and provide you with timely reports.
To know more about how our team of experts can help you protect your domain, get in touch with us today!