The KB articles and documentation you are referring to are accurate.
When using SPF you may need to keep an open mind as to what the outcome will be. The problem is that, in practice, it is quite common to find SPF records that are not set in accordance with the RFC. This comment is also very much the same for SenderID or FCrDNS.
You will also find genuine senders that do not have either type of record availabie, so you need to make a decision on whether your policy will be strict or relaxed about enforcing SPF or any other form of DNS-based sender checks you choose to use.
It is difficult to cover all cases, so the best advice would be to test and monitor any policies you create and see if they cover your requirements.
As an aside, please have a look at this blog post, where I discuss options to prevent spoofing of internal domains with MEG by using permitted/blocked sender lists and SPF.
Hope this helps.