Is there any value to implementing a similar rule for SA with a relatively small score? If your domain does not use SPF, DKIM, or DMARC, you're not even trying to prevent forgeries.
The rule would be something like below, and can be updated with DMARC once we have a rule for that.
meta LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && SPF_NONE)
