DKIM
DKIM cryptographically signs outgoing messages; the public key, published in DNS, lets recipients verify the origin and integrity of the message. It is the technical proof that mail genuinely comes from the domain.
In practice
The signature is applied at the sending server, selector by selector — which allows key rotation without interruption. Keys of 2048 bits, dated selectors, verification after any infrastructure change: the routine is short, the benefit permanent. Without aligned DKIM, DMARC protects nothing.