This can happen for one of several reasons.
Cause 1: The messages do not align with the sender's DMARC policy
If the sender has published a DMARC policy, we first check that policy to determine if the sender's address can be trusted. If that check fails, it means the sender's address has likely been forged and we bypass checking the whitelist.
To determine if a message is failing the DMARC check, examine the message headers and look for an Authentication-Results header such as this:
Authentication-Results: in01.mxguardian.net; dmarc=fail
If you see the text "dmarc=fail" then the message does not align with the sender's DMARC policy.
If these messages are in fact legitimate, then the sender has misconfigured something and they will need to either modify their DMARC policy or change the way they send outbound email. More information on DMARC can be found here: https://dmarc.org/overview/
Cause 2: The address may also be on a user's blacklist
In addition to the global whitelist and blacklist, there is also a whitelist and blacklist for each user. It's possible that an address can be on the global whitelist and also be on an individual user's blacklist. The view the blacklist for a specific user, go to the Users tab and click on a user's email address. Then go to the Blacklist tab to view the blacklist entries for that particular user.