hello A. de monaco
this type of policy is what i used to call a "behaviour policy" and it is the most difficult one (i know you have already understand this point if you ask the question). Usually the way i proceed (dont know if it is the best), it is first to check policies in place in the company to define the "normal" behaviour when sharing information with business partners. Then you can define which type of corruption you want to cover because as usual you have to find the good mix between risk coverage and cost to do it.
then after that if it is anormal behaviour, you can also imagine that email will be "anormal" with respect to other ones. I cant list here all this parameter as it is part of DLP policies for most of my customer but i think that for anormal behaviour you have to know the normal behaviour. you can contact me via MP or email to see if i can help you to go further.
regards.