I thought content filters could only require delivery with TLS, which of course applies to every recipient.
The problem using content filters to check for inbound TLS is matching up the correct header, since the sender could have used TLS within their organization on the way to the edge. I might see mulitple TLS headers. The compliance policy would need to correctly - match on the single header including one of my edge gateways and TLS and the correct sender domain. Not sure I can write that regex!
example:
Received: from tems6a.external.com (tems6a.external.com [1.2.3.4] ) (using TLS with cipher AES256-SHA (AES256-SHA/256 bits)) (Client did not present a certificate) by mygateway.example.com (mygateway.example.com) with SMTP id 5B.EE.30242.F370A7E4; Wed, 21 Sep 2011 15:48:15 +0000
Received: from internalhop.external.com (internalhop.external.com [10.9.8.6] ) (using TLS with cipher AES256-SHA (AES256-SHA/256 bits)) (Client did not present a certificate) by tems6a.external.com tems6a.external.com) with SMTP id abcxys4; Wed, 21 Sep 2011 15:47:15 +0000
.. etc...