When are separate SPF records needed for a domain and its subdomains?
Summary
What email marketers say9Marketer opinions
Email marketer from Mailjet explains that subdomains may require separate SPF records if they send email independently from the main domain. This is especially important if different servers or services are used to send emails from the subdomain.
Email marketer from Stack Overflow mentions that each subdomain requires it's own SPF record if the IP's it sends mail from is different from the main domain.
Email marketer from EasyDMARC shares that you need separate SPF records when subdomains send emails through different mail servers or have different email sending policies than the primary domain.
Email marketer from Stack Overflow answers that if the subdomain sends e-mail on behalf of a different entity then it needs to authorize this entity in a SPF record. In turn the SPF record of the subdomain is completely separate from the root domain's SPF record.
Email marketer from AuthSMTP explains you can't have multiple SPF records for a domain or subdomain. To include multiple sending servers or services, you need to combine them into a single SPF record.
Email marketer from Super User explains that if you delegate a subdomain to a third party, or if you use different mail servers for different (sub)domains, you need to set up distinct SPF records for each (sub)domain.
Email marketer from Reddit explains If you're sending mail from a subdomain that uses different mail servers or services than your main domain, then yes, you'll need a separate SPF record for that subdomain.
Email marketer from Reddit explains that you only need SPF records for subdomains if they are actually sending emails. If the subdomain is not used to send emails, then an SPF record isn't required.
Email marketer from Email Geeks explains that the first line has the include pointing to the sub-domain. When the receiver's server checks the SPF record of the main domain, it will see the include and "follow" it. Then it will see the Google SPF record, and maybe your mandrill record as well if you add it there. He also mentions there's a limit to how many includes will be performed.
What the experts say4Expert opinions
Expert from Email Geeks explains that some ESPs/mail platforms allow a sender to set their own Envelope domain which then requires an SPF record for the subdomain. Last he checked Mailchimp sets the sender from as one of their domains so SPF is likely not needed anyway and to just setup a branded DKIM.
Expert from Email Geeks explains each domain/subdomain needs its own SPF record. He also states that if corporate email is hosted at gmail then you likely need "@ include:google" instead of at the subdomain level.
Expert from Word to the Wise states that any domain name that sends mail needs an SPF record, so if your subdomains send mail, then yes, they need SPF records.
Expert from Spam Resource explains that if you operate mail servers for subdomains that are different from the main domain's servers, then each subdomain needs its own SPF record. If your subdomains don't send mail, they don't need one. Some people suggest creating a restrictive SPF record to prevent abuse.
What the documentation says6Technical articles
Documentation from RFC 7208, which defines the SPF standard, states that each domain name can have only one SPF record and explains the mechanisms (like `include`, `a`, `mx`, `ip4`, `ip6`) for specifying authorized sending sources. It implicitly suggests separate records for subdomains if policies differ.
Documentation from DMARC Analyzer explains if the subdomain is only being used for receiving emails, it does not need an SPF record.
Documentation from Spamhaus explains that subdomains that send email independently from the main domain should have their own SPF records. If a subdomain doesn't send email, an SPF record is not required, but should configure one to prevent misuse.
Documentation from Microsoft states that if you use a subdomain to send bulk emails, you must add a separate SPF record for the subdomain.
Documentation from IONOS explains that each (sub)domain requires its own SPF record. They are independent of each other, and you should define an SPF record for all (sub)domains from which you send emails.
Documentation from Google Workspace Admin Help explains that while you can only have one SPF TXT record for a domain, you can authorize multiple servers/domains to send email on behalf of your domain by including them in the single SPF record using the `include:` mechanism.