In this scenario, you found that there were multiple incidents for a single email message ID in a load balanced environment:
Possible use case: I sent an email to my @gmail.com. @hotmail.com and @uoit.net, this email only triggered one policy but 3 incidents generated in the console and as a sender, then I received 3 email block notifications. Seems like the number of incidents are depending on the number of different recipient domains.
Release : 15.8
Component : Email Prevent
After investing the incident, you will likely see that the incidents report on 3 different detection servers. DLP has an ignore rule on each detection server that happens when the same messageID comes in multiple times within a timeframe. However, if the email passes through multiple servers, they are not in communication with each other and would not know.