subdomain "No SPF record present"

Every top level domain should have an SPF record, either to indicate allowed sending environments or to indicate that there are NO allowed sending environments (e.g. "v=spf1 -all").

However what about subdomains of your domain?  The dmarcian interface often shows "No SPF record present" for these - what should you do about them?

The answer to this depends on some factors:

• is this subdomain an actual hostname which could appear in legitimate message From headers, or as the return-path of a message? If the answer to this simple case is 'yes' then you do probably need an SPF record. The easiest place to start here is with "v=spf1 a -all" (provides coverage for the IP address of the host)
• is the subdomain an actual hostname which probably should NOT appear in legitimate message From headers, or as the origination host via return-path?  If the answer to this is 'no', then you can either add a nonpermissive record such as "v=spf1 -all", or not add one at all. In the former case this is a clearer indication to recipient services that the message making use of such a subdomain should not be delivered, but setting this up for many subdomains can be burdensome. Which makes the second case the more adopted: not having an SPF record on the subdomain leads to a default 'fail' result in DMARC-SPF evaluation.  If your overall domain is at p=reject, the resulting DMARC fail will prevent delivery of such fraudulent messages.
• is the subdomain not in legitimate use? In this case you should ignore the recommendation; the best solution to this illegitimate traffic is to implement DMARC at p=reject to signal receiving hosts to reject the message(s).