DKIM and DMARC are often mentioned together, but they operate at different layers. DKIM cryptographically signs your messages so receivers can verify they weren't altered and came from your domain. DMARC sits on top, telling receivers how to handle mail that fails authentication and where to send reports.
DKIM is a mechanism; DMARC is a policy. Without DMARC, a DKIM failure has no defined consequence. Without DKIM (or SPF), DMARC has nothing to enforce. They're layers of the same defense.
At a glance
Aspect
DKIM
DMARC
Role
Signs and verifies messages
Sets policy for failures
Layer
Authentication mechanism
Enforcement and reporting
Depends on
Nothing else to function
SPF and/or DKIM with alignment
Output
Pass/fail signature check
none / quarantine / reject action
Reporting
None built in
Aggregate and forensic reports
When to use DKIM
You want to prove message integrity with a signature.
You're adding a core authentication method.
You need authentication that survives forwarding.
When to use DMARC
You want to instruct receivers how to treat failed mail.
You need visibility via authentication reports.
You're ready to enforce anti-spoofing policy.
Verdict
Set up DKIM (and SPF) first, then layer DMARC on top to enforce and monitor. Start DMARC at p=none to collect reports without affecting delivery, review who's sending as your domain, and gradually move to quarantine and then reject once legitimate sources are aligned. DKIM does the verifying; DMARC turns that verification into action and insight.