SPF and DKIM individually tell a receiver if a message is authentic. DMARC is the policy that says what to do with the answer:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100
Key tags:
p=none— monitor only; receivers send you reports but don't block anything. Good for the first 30 days.p=quarantine— send failing messages to spam.p=reject— bounce failing messages outright. The strongest setting; use only after SPF and DKIM are confirmed clean.rua— the email address that receives aggregate reports (one daily summary per receiver).
DMARC also requires SPF or DKIM to be aligned with the From: header domain — meaning the authentication has to match the visible sender, not just any header.