This can happen for one of several reasons.
Cause 1: The messages do not align with the sender's DMARC policy
If the sender has published a DMARC policy, we first check that policy to determine if the sender's address can be trusted. If that check fails, it means the sender's address has likely been forged and we bypass checking the allow list.
To determine if a message is failing the DMARC check, examine the message headers and look for an Authentication-Results header such as this:
Authentication-Results: in01.mxguardian.net; dmarc=fail
If you see the text "dmarc=fail" then the message does not align with the sender's DMARC policy.
If these messages are in fact legitimate, then the sender has misconfigured something and they will need to either modify their DMARC policy or change the way they send outbound email. More information on DMARC can be found here: https://dmarc.org/overview/
Cause 2: The address may also be on a user's block list
In addition to the global allow list and block list, there is also an allow list and block list for each user. It's possible that an address can be on the global allow list and also be on an individual user's block list. The view the block list for a specific user, go to the Users tab and click on a user's email address. Then go to the Block List tab to view the block list entries for that particular user.