What is the best practice for SPF?

The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF an organization can publish authorized mail servers that is which is mail servers are authorized to send mails on behalf of your domain.

SPF records have a 255 character string limit in Domain Name System (DNS). If you have an SPF record with a string longer than 255 characters, it will fail the SPF authentication check.

Keep your SPF records as simple as possible. DNS lookup for SPF record should not exceed 10 DNS lookup. If you have more than ten lookups in your record, a permanent error could be returned during the SPF authentication process. DMARC treats that as fail since it’s a permanent error, and all SPF permanent errors are interpreted as fail by DMARC. Avoid nested includes.

Duplicate SPF TXT record, means you can only have a single DNS TXT record which begins with “v=spf1”. Having multiple SPF records will result in permanent error.