Solved, I do:
For example, create at first the mail for example.com:
- Create A record on CloudFlare DNS to point the aapanel mail server (ex.: mail.example.com) & create the mail in aapanel mail server.
- Create all requested records in CloudFlare from aapanel records window with exactly the names:
-- for DKIM = "default.domainkey"
-- for v=DMARC1;p=quarantine;rua... = "dmarc"
-- for v=spf1 a mx all = "@").
Now we go for sales.example.com (a subdomain):
- Create A record on CloudFlare DNS to point the aapanel mail server (ex.: mail.sales.example.com) & create the mail in aapanel mail server.
- Create all requested records in CloudFlare from aapanel records window with names:
-- for DKIM = "default.domainkey.sales"
-- for v=DMARC1;p=quarantine;rua... = "dmarc.sales"
-- for v=spf1 a mx all = "sales").
The quotes are the names of DNS records at CloudFlare.
The A records should not be proxed with CloudFlare proxy-ssl, should point to original IP of your mail server.
This maybe is a trick, because at mail server settings tells that "The current email domain name only supports first-level domain names".
With this way you have valid signatures, SPF in basic root domain and in your subdomains.