Salesforce senders are stopped or tagged by the Email Impersonation Control service.
Salesforce does not use the domain Salesforce.com solely when sending emails, but rather a long string ID followed by the domain Salesforce.com. This string changes per user , whitelisting each single user becomes a challenging task.
Broadcom recommends to whitelist by IP ranges based on source and region of the emails. Below are the sources by regions, IP ranges and domains to allow:
https://help.salesforce.com/articleView?id=000321501&type=1&mode=1
Note : The above link needs to be monitored for any new IP ranges added by Salesforce.
Wildcard characters cannot be used to designate approved senders for Sender IP Addresses or Sender Email Addresses, but you can specify your IP address ranges with CIDR notation. Also, the wildcard (*) character is allowed for trusted third party subdomains. For example, messages from test.sample.com are accepted if *.sample.com is added in Approved Senders > Sender Domains. Use caution when adding any information to a whitelist.
In a scenario where you do not wish to whitelist the entire Salesforce IP range, the following entry can be added to allow the mail through:
*.bnc.salesforce.com or *.salesforce.com