DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record, published at _dmarc.yourdomain.com, that ties SPF and DKIM results to the visible From address through alignment, sets a policy for handling failures (p=none, p=quarantine, or p=reject), and requests aggregate reports.
Rolled out properly — starting at p=none to monitor, then ramping to p=reject — DMARC stops attackers from spoofing your exact domain.
Its key limitation: DMARC does nothing about lookalike domains like yourbank-secure.com or a homoglyph variant, because the attacker controls those domains and can authenticate them. Those require monitoring and takedown. See the guide on DMARC, SPF, DKIM and BIMI.