Exchange on-premises does not do DKIM natively, so you'll need a 3rd party tool/service to do that. DMARC is DNS record that tells messaging infrastructure that receive messages from you what to do with messages that fail DKIM or SPF, and where to send reports of those messages to so that you can review who may be using your mail domains maliciously. Details are here, including the format requirements for the DMARC DNS record
https://dmarc.org/