This lacks the information required to give a reply. What is the backend mail server and what services are enabled? What is your current user autentication method and by that I mean what allows them to login when local. (AD, LDAP, etc) What is your firewall?
Install OpenDMARC for Postfix. For a decent setup guide follow Steve Jenkins how to. https://www.stevejenkins.com/blog/2015/03/installing-opendmarc-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/
The option to configure it is under ROUTE -> OUTGOING Be very careful with DMARC or you could end up getting your mail rejected by the likes of Google or Microsoft. Start by setting p=none then work your way up to reject. For DKIM I'd only sign the headders and not the whole mail. Once you have it setup you will still need a piece of software installed somewhere to actually make sense of the reports. There are lots of Open Source options out there.
Well you've got a NAT of somesort setup on your firewall but you do't give enough info to gave a solution. Quick fix while you resolve is to turn spf off or to put the internal IP on the inbound trusted settings
if you have multiple PTR records for the same IP address, then one will be returned at random, and if that one does not match the EHLO command then the reciving host rejects the mail. A PTR record for a mail server should only consist of a single entry regardless of the number of domains it relays mail for. You can modify the behaviour of Postfix to not do the rDNS check but be aware that you are lessening your ability to root out fake mail by doing so.