Recently I found out that emails being sent from our server were getting a softfail on the SPF record. This meant our server wasn't actually allowed to send emails from @example.com. Some servers would mark these mails as spam.
After digging and pulling a few hairs I found out gmail was using our ipv6 address to validate the SPF record, so our original record didn't suffice.
A simple SPF record could look like this:
v=spf1 a mx -all
Which will validate all the "a" and "mx" records for the domain and disallow all others.
When using google apps the suggested record would be:
v=spf1 a mx include:_spf.google.com -all
And in our case we would use something like the following:
v=spf1 a mx ip4:xxx.xxx.xxx.xxx ip6:0000:0000:0000:0000:0000:0000:0000 -all
See the syntax for all possible modifiers and options.
Lastly, you could use gmail to see if it passes the SPF check. Just open the original for an email and look for a line which begins with "Received-SPF".