I have been working on a PoC to prevent people outside the org from viewing content with a specific label and was wondering what the best way to do so would be, I have tried 2 approaches - 

a) Using Sensitive label: Im able to achieve the objective by enabling encryption and setting it up so that only people inside the org would be able to decrypt the content

b) Using retention label with DLP - I have tried to set it up but the DLP policy does not seem to always trigger, so I tag a doc with a confidential retention label which is also configured in the DLP, Im able to share the file with externals even though my DLP policy says not to allow. I had labelled 5 files with this and shared with my own external id, now strangely when I log in with my external account I can see 3 files but not 2. Not sure why this is the case. 

Would be great if someone can throw some light on this DLP behaviour and also best practices on the same.