You have configured Sender Authentication (SPF, SenderID or DMARC) and selected the option, "Authenticate only the following domains". Some domains that are not on the list of domains are getting a Sender Authentication verdict and triggering the content policy.
This is caused by a previous server adding an Sender Authentication (SPF, SenderID or DMARC) header to the message.
Update: This issue has been addressed in SMG 10.7.3-5 and later. Existing SPF headers will be removed prior to scanning to prevent false positives from our SPF rules.
Currently the workaround is to add a second condition to the content rule for SPF, SenderID or DMARC that looks for the Authentication-Results header for SMG.