There is no way to exclude an external domain from a malware policy. You would simply disable the encrypted attachment policy in the policy group that the recipient is a member of.
You need to reevaluate the spam release settings. Messages need to go directly to the mail server when released, not sent back to the product and rescanned. This setting is accessed under the Administration -> Control Center, under the SMTP tab. You should set this to be your mail server's IP or hostname.