You have a data protection policy configured using a group or domain sender condition and it intermittently fails to trigger. The sender condition is configured with the following options:

Sender Domain List Condition
Domain of the Sender "is in none of the selected lists"

Sender Group Condition
Email Sender "is in any of the selected groups"

Email Data Protection for Symantec Email Security.Cloud.

The email for which the policy did not trigger has a null RFC5321.MailFrom also known as the envelope sender or return-path email address.

A Data Protection policy using a sender domain or group conditions set to trigger if the sender is not in the group or domain list does not work with an empty RFC5321.Mailfrom. Examples of these emails are automated notifications such as "Out of Office" and "Non Delivery Receipt (NDR)" notifications which should not have a return-path as defined in RFC.

This is currently being reviewed by our development team as a potential change in a future version of our Data Protection offering, but there are no release date currently available.