OWA Protect - Do Not Forward details

Depends on the type of recipient and the "flavor" of DNF you currently have setup. The way RMS works, the client (Outlook) needs to contact the server (Azure RMS) to obtain a "license" which is used to decrypt the message. In order to do so, the client will pass along the user credentials, and obviously the user needs to be able to authenticate against Office 365. This is not possible for a @gmail.com account for example, for such scenarios you can use the new "O365 message encryption" feature, which works seamlessly for external recipients as well by using a "proxy" portal. Read more about it here: https://support.office.com/en-us/article/set-up-new-office-365-message-encryption-capabilities-built-on-top-of-azure-information-protection-7ff0c040-b25c-4378-9904-b1b50210d00e