If Using AD/LDAP
If you have any Distribution Lists, they usually don't have sAMAccountName(AD) or uid(LDAP) entries, so CanIt needs to be told to accept their mail into a Stream specifically, under Setup->Address-to-Stream Mappings. you can give each its own Stream, have all use the same Stream, or use an already-existing user Stream.
Distribution Group Blocked (Exchange)
Exchange 2007/2010 distribution groups by default only allow internal mail.
Open Properties->Mail Flow->Settings,
Message delivery restrictions-> Properties,
Uncheck "Require that all senders are authenticated".