By default, UTL_SMTP is granted to public but it certainly does not have to be. Hence you could easily revoke that privilege and put a wrapper procedure around it to lock down certain elements. eg
procedure mail_wrapper(p_recipient varchar2, p_content varchar2, ... ) is
begin
if lower(p_recipient) not like '%@%abc.com' then
raise_application_error(-20000,'You can only email domain abc.com');
end if;
...
... rest of normal calls to utl_smtp
...
end;
and then you grant execute on mail_wrapper to the people that need it.