It doesn't matter if it's your own domain or the default AT&T one, either way the header is going to show it as coming from something similiar to this --> srs.bis.na.blackberry.com so adding an exception for *.blackberry.com should do it. Just make sure to include the * so it's a wildcard as the server isn't always the same.
If anyone else wants to take a stab at this here's the relevant headers I get from mine:
Delivery-Date: Mon, 11 May 2009 14:38:23 -0400
Received-SPF: pass (mxus5: domain of srs.bis.na.blackberry.com designates 188.8.131.52 as permitted sender) client-ip=184.108.40.206; envelope-from=SRS0=xk78JF=BHfirstname.lastname@example.org; helo=smtp03.bis.na.blackberry.com;
Received: from smtp03.bis.na.blackberry.com (smtp03.bis.na.blackberry.com [220.127.116.11]) by mx.perfora.net (node=mxus5) with ESMTP (Nemesis) id 0MKono-1M3aON3g3s-000IMa for
; Mon, 11 May 2009 14:38:23 -0400
Received: from bxe1245.bisx.prod.on.blackberry (bxe1245.bisx.prod.on.blackberry [172.20.204.214]) by srs.bis.na.blackberry.com (8.13.7 TEAMON/8.13.7) with ESMTP id n4BHYhrM000724 for
; Mon, 11 May 2009 18:39:14 GMT