Emails coming from Salesforce.com are being flagged by Email Impersonation Control (EIC) despite having "salesforce.com" in the Approved Senders domain list.
Note that while this article specifically targets "salesforce.com" emails, the concept holds true for any mass-mailing platform.
All entries in the Email Impersonation Control (EIC) Approved Senders lists are taken literally. An entry of "salesforce.com" would only include "salesforce.com" and not include subdomains, such the ones used by the Salesforce mailing platform (for example, *@devs00x00chv00h0.eyl0go.0r-fltveai.ca00.bnc.salesforce.com). The Approved Senders list also do not accept wildcard entries.
In order to allow salesforce.com emails to bypass Email Impersonation Control (EIC), use the sending IP ranges as opposed to the domain or email address.
As of the time of posting, a list of IP ranges used by Salesforce can be found at their support page "What are the Salesforce IP Addresses & Domains to whitelist?" under the section Email Security Filters.
The Approved Senders list will accept IP ranges in CIDR notation (eg. 192.168.0.1/24).