I can’t think of a way for you to do this unless you run your own bespoke mail server and can create a Duo API or SDK integration in it to always require Duo auth before opening a message.
What is available from Duo is protection for commercial email services, like Gmail, Office 365, Exchange, etc., where users complete 2FA before accessing their mailbox (not on opening a specific message).