Hi Andreas,
That's a great question. The main reason the specs include *pct* and a
domain owner would use it, are to slowly transition when changing their
policy.
There is more to *pct *than just "apply the policy to 0% of all messages".
It is actually:
*pct=X* - Apply the policy to X of messages that fail DMARC. Apply the
next-most restrictive policy to remaining emails that fail DMARC.
So* p=reject; pct=25 *would mean to reject 25% of messages that fail DMARC
and quarantine the rest. Similarly, properly applying the service.com
record would mean that any messages failing DMARC should have the
Quarantine action applied.
With respect to specifically *pct=0*, it can be used to account for
receivers that treat messages differently based on the DMARC policy. For
example, a lot of mailing lists apply solutions to prevent DMARC-based
issues these days... however they are often not applied to a domain at
*p=none*. Some will only apply modifications if the policy is quarantine.
If you aren't ready to move from *p=none*, but you want to stop seeing the
failures reported for these mailing list messages, you can set *p=quarantine,
pct=0*, and effectively you still have a *none *policy, but as the mailing
list server sees the p=quarantine, they apply the "fix" and the messages no
longer fail DMARC.
In at least one case, I have seen a system that will only apply a "fix" for
DMARC if the policy is set to p=reject. So accordingly, if you were not
ready to move from *quarantine*, or perhaps have no intention of moving
past *quarantine, *then *p=reject, pct=0* is aksing receivers to apply
their quarantine action, but it would also result in mail list provider
applying their "reject only" fix.
For reference from the RFC:
6.6.4. Message Sampling
If the "pct" tag is present in the policy record, the Mail Receiver
MUST NOT enact the requested policy ("p" tag or "sp" tag") on more
than the stated percent of the totality of affected messages.
However, regardless of whether or not the "pct" tag is present, the
Mail Receiver MUST include all relevant message data in any reports
produced.
If email is subject to the DMARC policy of "quarantine", the Mail
Receiver SHOULD quarantine the message. If the email is not subject
to the "quarantine" policy (due to the "pct" tag), the Mail Receiver
SHOULD apply local message classification as normal.
If email is subject to the DMARC policy of "reject", the Mail
Receiver SHOULD reject the message (see Section 10.3). If the email
is not subject to the "reject" policy (due to the "pct" tag), the
Mail Receiver SHOULD treat the email as though the "quarantine"
policy applies. This behavior allows Domain Owners to experiment
with progressively stronger policies without relaxing existing
policy.
On Thu, Dec 28, 2017 at 8:00 AM, A. Schulze via dmarc-discuss <
[email protected]> wrote:
>
> Hello,
>
> I found messages from the domain "service.com". The DMARC record say
> p=reject. But these messages pass my MX while OpenDMARC clearly say
> "dmarc=fail".
> It took some time until I noticed "pct=0": "apply the policy to 0% of all
> messages".
>
> Why a domainowner do that? Why the spec allow that? (it does, right?)
>
> It's a little bit confusing...
>
> Andreas
>
>
> _______________________________________________
> dmarc-discuss mailing list
> [email protected]
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
--
Todd Weltz, Customer Success Engineer
[email protected] l M: 416.471.8633 l www.agari.com
Changing Email Security For Good
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
