why we are having SPF Filtering in the Policy ? Product: central email protection advanced.

I am a little bit confused. 

There are two different parts of SPF: Outbound and Inbound (from your perspective). 

So if you get a mail from somebody, they are responsible for having a correct SPF txt record in their domain (DNS). 

Central Email will scan for inbound mails and look for a invalid sender, if possible. If the sender does not have any SPF Record, central will accept it anyway, because it cannot verify at all. 

For outbound mail, you are responsible for maintaining the SPF for your domain.

https://community.sophos.com/kb/en-us/132343

You have to add those records into your domain and send through Central Email. 

If you would start to reject all "none existing SPF" mails (which you can in Central email), you will have a lot to do to approve all those mails, because many sender basically do not maintain their records. 

I am a little bit confused. 

There are two different parts of SPF: Outbound and Inbound (from your perspective). 

So if you get a mail from somebody, they are responsible for having a correct SPF txt record in their domain (DNS). 

Central Email will scan for inbound mails and look for a invalid sender, if possible. If the sender does not have any SPF Record, central will accept it anyway, because it cannot verify at all. 

For outbound mail, you are responsible for maintaining the SPF for your domain.

https://community.sophos.com/kb/en-us/132343

You have to add those records into your domain and send through Central Email. 

If you would start to reject all "none existing SPF" mails (which you can in Central email), you will have a lot to do to approve all those mails, because many sender basically do not maintain their records.