(Google Apps is for regular email, and example.com refers to the hosting company's SPF records for the automated emails.)
Google recommends [google.com] using ~all instead of -all to avoid "delivery problems", but doesn't go into details. In my case, I know that the only servers that will be used are the Google ones or my server - I don't have any users for this domain.
So should I use -all instead? In anyone's experience, is it better to FAIL or SOFTFAIL when using SPF records?
I use -all on some domains, but not on all. The problem is that you don't always know which server will send legitimate emails with your email address as source address.
A number of online systems like forums, webshops, mailinglists etc send notification emails where the address you used to sign up is used as the From: address. Those emails may get lost if you use the -all setting because they are sent from servers whose IP address is not in your SPF record. If you are never using a domain to sign up to sites which send messages on your behalf, it is safe to use -all in the SPF record of that domain.
Thanks for the reply lammert - it sounds as if using -all will be safe in my situation, as apart from the automated emails, the domain's email addresses are mostly used for receiving and not sending.
I have a supplementary question specifically relating to Hotmail delivery - what's the current situation with Sender ID? Would it be a good idea to create a dedicated TXT record in the Sender ID format for Hotmail, or should the SPF record suffice?