Right now if you have sender spoofing turned on your only option to allow outside emails in that are spoofed (say from a third party vendor that sends bulk email on your behalf) is to whitelist the IPs of the third party. Which means all emails that third party sends, including the ones that are not yours, are then allowed due to the whitelisted IP.
There should be a whitelist just for the sender spoofing and not everything.
Either that, or check inbound emails to your domain name against the SPF records to see if they should be permitted. Right now, the setting to "Reject messages from my domain:" under Domain Management > Advanced > Email protocol overrides the SPF record. So even when the SPF record shows that the sender is authorized to send emails from the domain, the ESG blocks it.