Supposedly I have example.com domain and would like it to allow mails sent from subdomain.domain.com.
If the spf record should verify emails sent from *@subdomain.domain.com address (or mailed-by: subdomain.domain.com), would "v=spf1 a:domain.com ~all" allow the subdomain of domain.com too or only the domain.com?
I'm not sure if my question makes any sense, but would be glad to find an answer.
SPF works somewhat differently than you're trying to describe.
SPF records don't allow domains; they allow mail servers. When you put a:domain.com in an SPF record, that only means "accept mail from the IP address found at domain.com/A". If that actually points to your outgoing SMTP server, good. (In larger sites that wouldn't be the case.)
include:domain.com works in a similar way: instead of 'A' records, it does 'TXT' record lookups and imports domain.com's SPF policy. But that still boils down to "accept mail from those IP addresses that domain.com's SPF would have accepted".
So to answer the question, a: or include: won't include subdomains. That wouldn't make sense, and is actually impossible: there's no way for validators to know that a given IP address exists somewhere inside the domain.
SPF records themselves are found by looking up the sender's domain in DNS. For example, if the message has root@subdomain.example.com as its Envelope-From address, then SPF validators will search for a TXT record at subdomain.example.com – but they will not search the parent domain.
In other words, SPF policy specified at domain.com does not apply to messages sent by *@subdomain.example.com. If you want both domains to be protected by SPF, you should either copy or 'include' the policy explicitly, or use the 'redirect=' modifier.
