No this is not really correct. DMARC is good to have and Posteo will probably add it soon, but even without a DMARC policy almost all email servers still check SPF and/or DKIM signatures, so nobody is able to just spoof posteo email addresses. Adding a DMARC policy just makes it more explicit to other email servers that SPF and DKIM should be checked.
It does not apply in the case of Posteo domains, but if somebody would be able to spoof an email, then a reply would still go to you and not to the spoofer.
Edit: I just checked. Posteo does have a DMARC policy. Where did you even get this? Just do dig _dmarc.posteo.de TXT and you can see for yourself.
Edit 2: I guess your source is that Posteo (email provider) or similar. It’s a bit wrong, though: Not having a DMARC policy is something completely different than having a “none” policy. A “none” policy is still a policy.