An SPF record is a hack. It's a way of using the DNS protocol to say who is allowed to authoritatively send email as a domain name. It does this by using a DNS TXT record (as opposed to an A or MX record). TXT can contain any text. An SPF record is a specially encoded TXT record like this:
"v=spf1 ip4:198.51.100.26 -all"
The v=spf1 indicates that this is an SPF record, considered version 1 of the spf standard.
After the version, there are any number of 'directives'. In this example, there's only 1 directive and that is ip4:198.51.100.26. The type of directive here is ip4 but it could also be a or mx or include or ipv6. It can also be ptr or a few other things. And the final -all can be thought of as the final directive which is a catch-all. If it wasn't at the end, then no other directive after it would ever be matched. It is meant to fail any query on this spf record which doesn't match any earlier directives and the minus sign before all signifies that it fails. Other symbols instead of - could be + (pass), ? (neutral), or ~ (soft fail). If there's no sign then neutral is assumed.
So to create a SPF record for use with Google Apps for custom domains, first we go into our custom domain's DNS records settings. We create a new record of type TXT. The value starts with: "v=spf1 -all"
Now, nothing will be able to pass spf for your domain. So we need to add directives which will pass. The directive we want for Google Apps then we add the directive include:_spf.google.com so the record becomes: "v=spf1 include:_spf.google.com -all"
Now, this form of -all is strict and may cause some mails sent from Google to fail. To loosen the restriction change it to ~all instead: "v=spf1 include:_spf.google.com ~all"
Once you're finished saving your TXT record (and have kicked bind/named if needed) then you can do a quick validation test of your new SPF record using the tool found here