DMARC uses SPF and DKIM alignment to enforce email authentication policy — p=none (monitor), p=quarantine (spam folder), p=reject (block). Sends aggregate and forensic reports.
Start with p=none to understand your email ecosystem before enforcing. Progress to p=quarantine → p=reject over weeks/months. DMARC p=reject is the only setting that actually prevents spoofing of your domain. Required by CISA, major email providers increasingly require it.