Of course, what I wrote allows
spf2.0/pra,mailfrom ...
and
spf2.0/mailfrom,pra ...
to be both recognized by -protocol.
But it forbids having two records
spf2.0/pra ...
spf2.0/mailfrom ...
Of rather, if both such records exists, then neither would be used by
-protocol.
It seems cleaner to define it as I propose, but I don't have strong
feelings on disallowing multiple spf/2.x records as long as only one
of them has the "pra" token. I can see that the alternative approach
may have merit, too...
-roy