It depends, I don't their's a cut case exact rule but here's what I do;
"v=spf1 mx ip4:75.xx.xx.xx include:secureserver.net -all"
or redirect to;
And use the _spf.mydomain.com to reference all allowed senders.I always define the actual ipv4 address incase the dns services are down. But either way method should be okay, just remember the dependencies with any A records.
It's best practice to ALWAYS placed SPF entries even for domains that you don't send mail from. This helps from having anyone "spoof" you and getting you domain flagged as bad sender
For your FCESP, congrats. This was one of the most challenge that I did like over 3+ years ago. I know your relieved.
The FCESP unlike cisco exam, that uses wordings such as " theory" " cisco ideally", "what's the best...... " etc....., I found that the fortinet exam is 100% practical usages and settings. I was upset that I didn't pass my 1st attempt and I dedicated about a year with studying everything in the appliance that was in reason before taking the 2nd attempt
You can read more about it here if your bored.