By default, the Security Gateway check all recipients of an email passing through it, and verifies if all of them are configured for inspection. If the recipient list includes at least one user that isn't configured for Threat Extraction, it will not be done for any recipients of the email.