> Unrecognized modifiers MUST be ignored no matter where, or how often, they appear in a record. This allows implementations conforming to this document to gracefully handle records with modifiers that are defined in other specifications.
A correct SPF validator will ignore the xss modifier, not treat the SPF record as invalid.
https://datatracker.ietf.org/doc/html/rfc7208
> Unrecognized modifiers MUST be ignored no matter where, or how often, they appear in a record. This allows implementations conforming to this document to gracefully handle records with modifiers that are defined in other specifications.
A correct SPF validator will ignore the xss modifier, not treat the SPF record as invalid.