I have a main domain with (now) valid SPF record, but we also programmatically create lots and lots of subdomains for clients via cpanel PHPXML API. These subdomains are not intended to send any mail.

When we create them, they are getting an A record of my ip, and a TXT record of "v=spf1 +a +mx +ip4:[MY IP] ?all". Those are all the DNS records they have

Recently we have had a lot of email spoofing and realized there was an invalid (duplicate SPF) for our main domain. We just fixed that, but are unsure if:

1) Can spammers still spoof email from subdomains without MX records, with above current listed SPF?

2) Is it better to have no SPF for subdomains than the one I have listed?

3) Is there a way to prevent subdomains from sending/spoofing email via my main domain's SPF?

Here is the main domain SPF that our host suggested we switch to: "v=spf1 a mx ptr a:dedrelay.[webhost].com include:dedrelay.[webhost].com ~all"