You often want to allow certain servers to send your e-mails through your SMPT server. For example, if you have some computers in your dmz that need to be able to send status reports and or if you have some computers on your LAN that need to send e-mails from your domain. In such cases, you do not want to publish these services in your SPF record, as this information could be valuable for hackers. To work around this, you have two options.
First, many SPF implementations offer the ability to whitelist these addresses. This list of hosts is then only available for your SMPT server.
A second option would be to implement a “local policy”. If you need more information, you can find it in the documentation for your specific SPF implementation or you can search the list archives for "Whitelist" and "Local Policy"