What are the correct SPF records to allow both local and Google Apps delivery

You should only have one SPF record on a hostname, so you much combine the two into one. SPF is basically a list of mechanism (which match something) and the action to take for that mechanism. You can have as many of these mechanisms in your SPF record as you want. For domain.com you want this:

domain.com. IN  TXT "v=spf1 include:_spf.google.com +a +mx -all"

Which means that the following are checked (with the first matching mechanism being the result).

• Fetch the SPF record at _spf.google.com and evaluate it (include:). Google's SPF record looks like this:

  _spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"
  

• Accept if the SMTP client's IP is within an of those IPv4 subnets (ipv4:)

• Accept if the SMTP client's IP is an A record for the domain (+a)

• Accept if the SMTP client's IP is an MX record for the domain (+mx)
• Reject everything (-all)

Your SPF record for mail.domain.com can probably be simplified to this:

mail.domain.com.    IN  TXT "v=spf1 ip4:xxx.xxx.xxx.xxx a mx:domain.com ?all"

Assuming that mail.domain.com doesn't itself have an MX record. If it does have an MX record add the mx term back in (before the all).

Why do you have three different SPF records? Also, why do you have a separate record for mail.domain.com, do you accept any mail on that domain name? Basically, a single domain.com TXT v=spf1 include:_spf.google.com +a +mx ~all should be enough.