Your DMARC record includes a pct= tag set to less than 100. Only a percentage of failing emails are subject to your DMARC policy; the rest are treated as if the policy were "none".
Set `pct=100` or remove the pct tag (defaults to 100%) once you're confident in your setup.
The pct= tag specifies what percentage of emails that fail DMARC should have the policy applied. For example, pct=25 means only 25% of failing emails are quarantined or rejected; the other 75% are delivered normally.
While pct= is useful for gradually rolling out DMARC enforcement, leaving it at less than 100% means a significant portion of spoofed emails will still be delivered.
Check your DMARC record for the pct tag.
dig +short TXT _dmarc.yourdomain.com
# Look for pct= in the outputBefore increasing pct, review your aggregate reports to ensure legitimate email is passing authentication.
Update the DMARC record to enforce the policy on all failing emails.
v=DMARC1; p=reject; pct=25; rua=mailto:[email protected]v=DMARC1; p=reject; rua=mailto:[email protected]After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.
It means 100% of emails that fail DMARC authentication will have the policy applied. This is the default if the pct tag is omitted.
Yes, pct is designed for gradual rollout. A typical path is: p=quarantine;pct=10 -> pct=50 -> pct=100, then p=reject;pct=10 -> pct=50 -> pct=100.
Emails that fall outside the pct percentage are treated as if the policy were p=none. They are still reported in aggregate reports, but no enforcement action is taken.