The Permitted Senders entry is not being honored because DKIM verification is failing. The source IP of (IP) is not included in the SPF record for (DOMAIN).
The sender can correct this by adding the IP to their SPF record, or you can setup a new DNS Authentication - Inbound Policy for specific domains or users to not perform any kind of SPF check. Below I have detailed how to do this:

Go to Administration>Directories>Profile Groups
Click the plus sign (+) on the Root Folder to create a New Folder
Rename the "New Folder" to "DNS Check Bypass" (or whatever else you would like to call it)
With this Group selected, click Build>Add Email Addresses/Domains to list the specific email addresses to be added to this Group
Click Save and Exit
Go to Administration>Gateway>Policies 
Then go to DNS Authentication - Inbound>Definitions
Click "New DNS Authentication - Inbound Checks"
Description: No DNS Authentication
Make sure all options are unchecked
Save and Exit
Go Back to the Policy section
Now click on DNS Authentication - Inbound itself (not definitions)
Click New Policy
Narrative: No DNS Authentication
Select Option: No DNS Authentication
Email From>Applies From: Address Groups
Specifically: (the group you created above)
Emails To>Applies To: Internal Addresses
Hit Save and Exit