Sorry for the late jump in here but what I dealt with for a past client might help if you have not already found a solution that works for you.
First, based on my experience you definitely want to use -all or ~all for strict fail or soft fail to prevent your domain from having other issues. ?all will not block anything which will let others spoof your domain to send spam which could hurt your domain’s reputation causing future issues like black listing. I personally use nothing other than -all and work the spf1 line until I get it working as needed.
While there is no A record for shops.shopify.com there is an spf1 txt record.
For your client’s spf1 record I would add something like “include:shops.shopify.com” OR specifically include the spf1 entries that shops.shopify.com points to. You can see those here: https://www.whatsmydns.net/#TXT/shops.shopify.com
Personally I’d directly add shopify’s a: entries to my spf1 so that I could keep the adherence to the rule strict. Including shopify’s spf1 will also include the ~all making the rule a soft fail versus strict.
If you have already found a working solution please share it. It seems like each time this issue comes up the best solution for that instance is a little different than past solutions so I’d love to know how you finally solve this for your client.