It's my understanding that SPF works on the envelope sender/return-path/RFC5321.MailFrom domain. We use a third party email service called Campaign Monitor and their domain has the required SPF record. Emails that are sent have their domain as the envelope sender/return path.
I'm now reading this from Google:
The SPF record for your domain should reference all email senders for your domain. If third-party senders aren't included in your SPF record, messages from these senders are more likely to be marked as spam.
Source: https://support.google.com/mail/answer/81126
And this from Campaign Monitor:
However, it is an optional but recommended step to include our servers in an SPF record for your domain.
Source: https://help.campaignmonitor.com/email-authentication#spf
Suggestion that "some local anti-spam services" may require this:
While we handle SPF for you, some anti-spam services on your local network may be particularly strict, requiring our domain to be added to your own existing SPF record
Source: https://help.campaignmonitor.com/allowlist-campaign-monitors-addresses#spf
Possibly relevant article:
Another day, another ESP telling a client to publish a SPF include for the wrong domain.
Source: https://wordtothewise.com/2022/06/stop-with-the-incorrect-spf-advice/
Why are we being told that we should add their domains to our own domain's SPF record? Who are these "anti-spam" services that aren't following the rules?