You seem to miss where I said header not from field.
The emails originate from knowb4 or phishme servers and customers whitelist those servers from anti spam/phishing/url inspection to minimise the false positives.
The knowb4 and phishme have their names in as part of the email ehlo exchange and are written into the header for tracking.
Double click the email to open the email into a new window, in the tags panel of the ribbon there is a little arrow pointing to the bottom right, click it and a new box opens. the bottom of that box contains the headers and transaction details of the specific email.