DJacobs,
Unfortunately you will not be able to do this in a single policy. Even if yiou have 2 rules in the same policy, (1 looking for gosecure, and the other not). The violation will take the higher severity setting in a rule matching.
I do this all of the time when it comes to encryption emails etc.
The only way to do this is to have 2 different Policies.
1. The first will have the regular severity match counting settings as you currently have ---Though you will have an exception for the work 'gosecure' in the header or other sections. So this policy will NOT cpatrue anything that has the encryption header.
2. The 2nd policy will then have a detection rule to look for the 'gosecure' and match the data but ONLY have a low Severity setting. This will ONLY capture data if it was sent for encryption.
You can also make #2 a catch all for all encryption by having this policy look for the keyword 'gosecure' to see what people are sending through.
This way you will still capture the data as an event but have the right severity. You can then also have different response rules for these events.
I think this is a better approach for you get better reporting analytics to see if people are using encryption.
Good Luck
Ronak
PLEASE MARKED SOLVED WHEN POSSIBLE