There are several DNS records to work with the mailing system other than DKIM.
SPF is a must. DMARC is recommended, it doesn't seem to be popular though.
Reverse lookup is strongly recommended, but it depends on your service provider if you can configure this.
With SPF records, DNS will state the servers that can send out the emails. If emails with your domain come from an unknown server, that strongly indicates they are spoofing.
Here is mail.example.jp case. This means "The mail from @mail.example.jp can be sent out from the server shown in MX record." This should be the simplest SPF record for most cases.
mail.example.jp. IN TXT "v=spf1 mx -all"
If you have domains that will never send out the mail, SPF record should state that.
nomail.example.jp. IN TXT "v=spf1 -all"
DMARC records will tell what to do if both SPF and DKIM verification failed. Additionally, the mail servers will send error reports about the verification failure if you request.
_dmarc.example.jp. IN TXT "v=DMARC1; p=quarantine"
There are several more options available. Please check them if you want to get the reports or more strict SPF & DKIM verification.
In short, configure the PTR record to point to the mail server domain.
DNS lookup is mainly for converting the domain name (example.jp) to the IP address. Reverse lookup is finding the domain name from an IP address. 1 IP address can be assigned to multiple domain names, but reverse can't.
Using this reverse lookup, when mail servers got a connection from a server (e.g. example.jp), it looks up DNS to IP and does reverse to get the domain name again. If the server domain stated when connecting is the same as the result of reverse lookup, the server is likely to be reliable (not telling a lie about the identity).
The difficult point is, PTR record is under the control of your service provider. It depends on the provider if they allow you to change the PTR records. If you can't, you can name your mail server as the domain name determined by the service provider.