We have a content filtering policy set up as per the screenshot below. It checks on outbound emails whether a domain of a recipient in the recipient field of a message matches an entry in a managed dictionary or matches some specific "wildcard" type domains. If one of the conditions are met it will force the email to go via TLS. The domains specified in the dictionary and the conditions are known to advertise TLS on their SMTP server.
The issue occurring is that if ONE of the recipients match the conditions then the email is forced via TLS to ALL of the recipients of the email, even if they do NOT all match the conditions. This is causing problems as group emails being sent out to many recipients are causing the sender to receive the delivery delay message STARTTLS required but not advertised message for each recipient whose mail server do not advertise TLS as a feature.
My idea would be to only force TLS for those recipients who match the conditions and do not force TLS for recipients who do not match conditions.