When you say user's webmail I'm assuming you're referring to something like Hotmail, Gmail, etc.
Ideally, the company's DLP policy should block any confidential email from being saved onto non-company mail servers in the first place. If the company's mail server is being used, this can be monitored and blocked using a Network Prevent Mail server.
If for some reason, the company allows confidential data to be stored on Hotmail when the user is on site, blocking off-site will be close to impossible. Using the Endpoint Agent, you may be able to get some degree of protection by saying that you can't use HTTP POST with any webpage that matches the policy, but if for example the user is on the mail homepage and hits "forward", the HTTP POST message won't have confidential data in it and the mail will be sent. (It will work for constructing an email from scratch).
So in summary, the policy should only allow confidential data to be submitted via HTTP POST on websites that match your company's address (mail.yourcomanyname for example) and block every other web page.
Hope that helps a bit! Any other questions, feel free to post =)
Regards,
~Xavier