I've always used hardfail SPF on all my domains. For some reason this upsets people which means I must be doing it right. On the domains that softfail one can usually spoof as one of their leaders from outside of their company which I think should not be permitted even if it may, but often does not get marked as spam.