SPF records are great thing. In theory they should help fight spam and prevent forgery of your e-mail address. However, it may cause troubles if you do not configure it properly.
Did you ever saw this:
This is an automatically generated Delivery Status Notification Delivery to the following recipient failed permanently: email@example.com Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 553 553 See http://spf.pobox.com/why.html?sender=jmedved%40jmedved.com&ip=220.127.116.11&receiver=he-dc2-l3.avalon.hr (#5.7.1) (state 14).
There are two reasons why this may go unnoticed.
First one is that not many domains implement these checks. If domain does not check your SPF records, it will not block your e-mails. Almost all your e-mails will pass without any trouble to most of your destinations. That “almost” part is problematic.
Further, even if domain blocks your e-mail, it may opt not to report error. This is worst of all since neither your recipient will receive message neither you will receive error. It is great when e-mail just doesn’t work.
If you use Google Apps, you need to modify your SPF records to include “aspmx.googlemail.com”. However, there are some unofficial reports that this does not work all the time. It seems that you need “_spf.google.com” in your SPF record also. Since DNS takes ages to propagate, I opted to include both of these at once. Better safe than sorry.
Additionally, every SPF record has “all” mechanism in order to decide what to do with e-mails that are not caught by any other mechanism. This is for most of hosts written as “-all” which causes fail for all hosts not in list. Google Apps requires this to be “~all”. This is so called soft-fail. Your final destination will not be affected by it – it will only happen during internal mail routing.
How final record should look like, it depends on your particular configuration. However, I will give you what I added in TXT record:
v=spf1 a mx include:aspmx.googlemail.com include:_spf.google.com ~all
Your requirements may very, but not by much.
P.S. If you do not have access to your DNS records or you just want to check whether your change has propagated through DNS system, it is helpful to use SPF Query Tool. It is online and hassle free.