So, there are 2 sides to DKIM/DMARC, checking inbound mail, and sending signed mail, and publishing appropriate records for outbound mail.
For inbound mail, under Mail Policies/DKIM you set a policy or polices that you might need. (I only use the Default one). This are applied to Mail Flow Polices.
For inbound DMARC checking that's under Mail Polices/DMARC and those polices are also applied on the Mail Flow Policies.


For DKIM outbound, step one, under Mail Policies/Signing Keys, create a key for each domain you're sending mail as.
Step 2, create under Mail Policies/Signing Profile, create a profile... set everything as to your requirements, but at the bottom enter an email address that DOES NOT EXIST, and add it to Current Users(otherwise it applies to everyone right away)
Step 3, on the Domain Signing Profiles page, click on the "Generate" link for the profile in question. That creates the DNS entry that you need to put in your public DNS for this domain. Copy and paste that into your public domain name provider as a TXT record. Wait for that to replicate. Use the "Test" button to check that it all comes back appropriately (you'll get a "Success - Published public key matches domain profile." Message at the top)
Step 4, In the Domain Signing Profile go change the current users to your out going domain name.
Now mail is being signed by your ESA, and the world can check your DNS records to verify it.

You'll also want to publish an appropriate SPF record... and now you can also publish the appropriate DMARC record, as that's all really DNS config.
I'd point you at Dmarcian's docs for SPF and DMARC config.