You wont be able to allow those external senders unless you can somehow authenticate the connection from Service Now. You would need to ask them if they have any solutions, but that would not be something they would typically have a way to fix neither.
otherwise, allow external senders to those groups and then create transport rules that drop any external message sent them unless its from Service Now.