From the time an email is sent to the point when it arrives in your inbox, DMARC, SPF and DKIM work together to ensure authentication in three simple steps.
policy to reject
SPF is the missing link that decides which mail servers are authorized to send mail from your organization’s domain.
By using a digital signature, DKIM validates the domain’s identity associated with an email.
DMARC gives email senders an opportunity to show that their messages are protected, and tells receivers what to do if one of the authentication methods passes or fails.
Information source: DMARC.org