I just entered a bugzilla report for this: Bug 48824 - Amavis/SA: Heuristics.Phishing.Email.SpoofedDomain not detected on delivery
In short, as of recent versions of ClamAV, spoofed domains are detected in the body of html-encoded messages. However, the default config for amavisd doesn't pass the message to ClamAV in a form that will let it look at the right data; only once the message is sent as an attachment via manual junk classification does ClamAV get to see it. Then a notice gets sent to administrator and (not very usefully) to the junk account.
The workaround, and likely solution, is to edit /opt/zimbra/conf/amavisd.conf.in and change
# qr'^MAIL$', # retain full original message for virus checking (can be slow)
(i.e., uncomment the line).
qr'^MAIL$', # retain full original message for virus checking (can be slow)
Then as zimbra do zmamavisdctl restart. However if you have a lot of mail I'm not sure about the impact that's implied by the "can be slow" comment.