if the requirement is just email, seems like it would be quite feasible to set something up so that the MTA on the administrative system tunnels the email to the MTA of something network-connected in a non-tcp/ip kind of way (PTP microwave/laser link, printer-carrier pigeon-scanner combo, ...) that just passes the message over while remaining air-gapped
Oh neat... so i just have to own the system by sending a bad attachment (containing the malware), and having exfiltration happen via mail attachments. Got it.
I've seen actual near-airgapped systems that communicate by fax as risk reduction. Email-to-fax gateways rendered attachments and such in the DMZ, then dialed into the secure side, the theory being that owning a T1 fax card over the PSTN is much harder than sending a malicious email.
