1) Writing the policy on particular domain should not be hard task.
You should create a policy that blocks all emails with an IDM exception of allowed domain name(s). The domain name is better to be written in @example.com format.
2) As for OWA - here yang_zhang is probably right: OWA is not supported as I know.
What you can do is to test the rule with the parameters similar to "Webmail" policy.
I will try to repro the scenario and will let you know.