That could be the issue, if the end of the SPF record is not "-all" (hardfail) then the email will still (probably) be delivered. A softfail is meant to be picked up in the next layer of mail software after SMTP delivery. It's usually then managed by seive/maildrop filtering or end user client programs.
I could be way off base but it would be worth checking from a domain with SPF hardfail set, and then maybe postfix will drop it at the SMTP level. I could set up a test case if you are desperate.