Black and white lists are used to override the spam score results of an email. They do not override file extension, MIME, spoofing, or geographical checks.
Email addresses, domains, and IP addresses can be added at the Global, Group, and User levels. Lower level rules will override higher level rules. For example, if you define a blacklist rule for email@example.com, a Group Administrator or Portal User can create a whitelist rule to allow firstname.lastname@example.org. It will be allowed for that Group or User, but anyone outside of that will have the email blacklisted.
This is normally "from", but can also be set to "to" to prevent or ensure delivery to external addresses, domains, or networks.
You may use wildcards with matches, and a test area is provided within the Master interface to check if your wildcard rules will match specific targets.
Be careful with wildcards. Whitelisting entire domains is generally a bad idea. Whitelisting your own entire domain is a very bad idea.
See the Black/White List guide for more detail on these types of policies.