Salesforce senders are stopped or tagged by the Email Impersonation Control service.

Salesforce does not use the domain Salesforce.com solely when sending emails, but rather a long string ID followed by the domain Salesforce.com. This string changes per user, whitelisting each single user becomes a challenging task.

Broadcom recommends to use wildcard for whitelisting the sending domain:

*.salesforce.com

Please use caution when utilizing wildcards for any Approved senders.