Of course it's a security issue, because having neither SPF nor DKIM means that malicious actors can all too easily impersonate your email addresses and phish users with an email that apparently came from your domain.
I occasionally get what I'm sure are very well meaning SPF/DKIM-missing reports for a domain that has a null mx record.
It can basically be assumed that anyone trying to report that didn't do even a basic cursory look at the results. I don't need your automated scan, I have my own nessus deployment and already know what it's going to say.
"null record" is not "no record". It's an MX record of priority "0" and value "."
No MTA will try to deliver a message that is from or to a domain that has a null record. If you're the sender, your sending MTA might give you an NDR, but receiving infrastructure will just drop it.
Cloudflare actually has a wizard that implements it in addition to the items on the page you linked. And no offense to whoever wrote the CF article, but they are the new kids on the block relative to email.
> Null MX does nothing to prevent spoofing. It is just to signal to mail senders that your domain does not receive email.
And I also found multiple other sources that specify that the null record only announces that the domain does not receive email. After some googling I didn't find a single source that shares your explanation.
