Hello John,
Trusted Senders is designed to allow you to skip SPAM checks for specified email address and domains. This is skipped/ignored in 2 cases. DKIM and SPF are still checked to protect your system,
Trusted SendersDomain Administrators can add specific email addresses (such as jsmith@example.com) or domains (such as example.com) that will be exempted from spam filtering. This can prevent mail from friends, business associates and mailing lists from being blocked and lets the system know that these messages come from a trusted source.
Note: Email addresses in a user's contacts are always considered trusted senders. In addition, if users unmark a message as spam, the sender is automatically included on their personal trusted senders list.
Here is an article that has a more robust description of why SPF and DKIM are exempt from the Trusted Senders.
When the DKIM and SPF both pass the SPAM weight is zeroed out for "Trusted Senders". The header for this looks like this.
X-SmarterMail-Spam: SPF_Pass, HostKarma - Whitelist, Reverse DNS Lookup [Passed], ISpamAssassin 0 [raw: 0], DK_Pass, DKIM_Pass
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain)
When either the SPF and/or DKIM fail then the full spam weight of all failed checks are brought forward and passed on. This header will have a line like this.
X-SmarterMail-Spam: SPF_SoftFail, Reverse DNS Lookup [Passed], ISpamAssassin 7 [raw: 5], DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 19 (Trusted Sender - User, failed SPF)
The other reason that this may be happening is what Jay mentioned above. Take a look at the raw content of the message and look at the "Return-Path:" and see if it matches the "From:" field. When you mark an email as a trusted sender it is grabbing hte email address in the From: field, when this check is processed during the SMTP session it looks at the Mail From: address that can be adjusted by the sender in the DATA portion of the SMTP session.
For Example:
In the above example notifications will be the trusted sender and pm_bounces is what will be checked during the SMTP session.
I hope this helps. Thank you
Tony