OT: Risks & mitigations of allowing an external sender to send to us (with sender 'same domain' as us)

There is an external app server (that is our service provider) that we want
to blast emails to a team/department in our organization (email domain @
but these emails will have the sender to be in same domain as us ie

What are the risks of permitting such bypass (ie disable Norelay) in our
(it's MS Exchange) & if we have to permit it, what mitigations we can put
in place?