That makes a lot more sense now.
It seems that since this falls into the DLP category, the vendor could probably use the reinjection technique. At least that's what Postini used to call it (when there was Postini). Another more modern example would be the signature manager Exclaimer that can work in a server-side fashion modifying all outbound emails. They have a wizard that configured the appropriate connectors, so the centralized mailflow doc (below) has more relevant screenshots. The normal outbound default send connector in EXO routes mail to the DLP/signature vendor which then sends the mail back to EXO after it is transformed/approved. And because this is on the default send connector, this
https://support.exclaimer.com/hc/en-gb/articles/360028963991-How-to-setup-an-Office-365-subscription-to-use-server-side-signatures-
https://support.exclaimer.com/hc/en-gb/articles/360028964351-How-to-set-up-Exclaimer-Cloud-in-a-hybrid-environment-using-centralized-mail-flow
And here's another example I just found that might also be FAR MORE useful to you depending on how MailApprove works. This vendor suggests creating a rule to determine if the recipient is outside of the organization. I included a screenshot below for a test connector.
https://www.codetwo.com/userguide/email-signatures-for-office-365/connectors-configuration.htm