I made a PowerShell script that uses the Cloudflare API to setup email validation records for domains that do not use email.
You can check it out on GitHub at https://github.com/SamErde/Set-DNS-Records-for-No-Email-Domains. Please feel free to submit PRs if you have ideas to improve it!
To start, create an API token that has edit DNS permissions on your zones. Run the script and provide the token when prompted. It will search your zones for all that do not have any MX records, and then will add the SPF, DKIM, and DMARC records to use for those domains without email.
Why do this? If spammers try to spoof your domains that do not use email, a properly configured receiving server will reject the message. Why leave empty domains out there to be abused?
There’s certainly room to make this better with logging, error handling, and checking if records already exists–but it does work nicely as-is. Would love to hear any ideas to make it better!