DMARC (Domain-based Message Authentication, Reporting and Conformance, RFC 7489) is the policy layer that builds on SPF and DKIM. The TXT record at _dmarc.<domain> declares: when a message claims to be from this domain but fails SPF and DKIM alignment, what should the receiver do (none, quarantine, reject) -- and where should the receiver send aggregate failure reports.
Key tags: p= (policy: none for monitoring, quarantine for spam folder, reject for outright rejection), sp= (subdomain policy; defaults to p= if absent), pct= (percentage of failing mail to apply the policy to; defaults to 100), rua= (where to send daily aggregate reports), and ruf= (per-message forensic reports, rarely supported by receivers).
Common silent misconfigurations: a strong apex policy (p=reject) paired with a weak subdomain policy (sp=none) lets attackers spoof from any unused subdomain; pct < 100 means receivers only enforce on a fraction of failing mail; missing rua= leaves the operator blind to spoof attempts and legitimate-sender breakages.
DMARC enforcement (p=quarantine or p=reject) is also the gate for BIMI logo display in major receivers.