We send emails both through Google Apps, and also through Klaviyo - which is a tool a bit like mailchimp.
I'm keen to set an SPF record to make sure they're being authenticated correctly.
I asked my host to do it and they set two records as:
v=spf1 include:_spf.google.com ~all
v=spf1 include:send.benefacto.org ~all
According to this https://support.google.com/a/answer/4568483?hl=en when you have multiple SPF records they all need to be wrapped into one e.g.
v=spf1 include:send.benefacto.org include:_spf.google.com ~all
Does this make sense?
I wouldn't use ~all, instead use -all. If you care about authentication, you might as well make it fail, if its bad.
Also I see that you're following Klaviyo's documentation, but I just want to clarify something, does your email go out with the return-path of @send.benefacto.org? This is referred to as the RFC5321.MailFrom. This is what's used to test your SPF record. If it does you're good.
And your SPF record for send.benefacto.org should simply be.
v=spf1 include:send.benefacto.org -all
You don't need to include the google spf, because google doesn't use "send.benefacto.org" as it's RFC5321.MailFrom
Now for Google you need to fix it. Because you have 2 SPF records located here: Your Benefacto.org SPF Records
You don't need to combine it, you just need to remove this entry.
v=spf1 include:send.benefacto.org ~all
Which will leave you with just:
v=spf1 include:_spf.google.com ~all
Since Klaviyo and Gmail send with different RFC5321.MailFrom - You don't have to combine them (I'm trying to drive this point home, you can it doesn't really hurt - just creates unnecessary lookups for the ESP)
You should also double check to make sure your SPF records actually validate correctly from both mailing sources by using an email testing tool.
You should also look into setting up DKIM and I think you'll be able to set up DMARC with relaxed alignments. But you'll need to be a little careful with DMARC and 3rd party senders and test accordingly.