Do we need to set this up for sandbox and prod or just in prod?
If best practice is that we should, then can we add the same DKIMDomain in sandbox and production(without issues)?
Depends on what you're testing with the sandbox. If you want to simulate production sends, then add the prod domain to the sandbox.
Don't bother with SPF unless your client has specifically added a branded (envelope) sender for an additional fee.
.png)