A Mail Transfer Agent (MTA) is just a relay server. This means mail flows into the agent and then is relayed out to the next hop. Most Secure Email Gateways (SEG) such as Clearswift's Secure Email Gateway act as a relay server at a base layer. When a message flows through an MTA, the IP of the machine is added as a "hop" in the IP chain.
How does this affect APD?
APD looks for the IP of the last hop. If you have an SEG acting like a relay server in front of your environment you will most likely see many messages being classified as domain spoofs, and when you look at the details of a message it will show a sending IP as your SEG.
Another way to view this issue is by going to Analyze > IP Addresses, select the appropriate date range, and at the top should be your SEG devices with a large number in the Total Domains field.
How can I fix this?
To fix this going forward you must simply put the IPs of your SEG devices in the MTA field on the Organization page. Collect the IPs of your SEG devices, navigate to Manage > Organization, and towards the bottom, there is an MTA field. Paste your IPs there and select Save at the bottom.
Other things to note:
It is not always SEG devices causing this. You can have standalone relay servers many of your messages funnel through that you need to skip in the IP chain.