Email is dying, and for a good reason: SMTP is kept insecure all around the world.
As of 2021, the large majority of SMTP servers are still not enforcing STARTTLS against either DANE or valid SSL certificate chains. This is a problem, since email messages are supposedly confidential. Opportunistic STARTTLS is defeated with MITM attacks by simply downgrading to plain-text.
And even those outbound MTAs which do enforce STARTTLS, mostly don’t verify the PKIX certificate on the MX end. This can also be defeated, by simply offering an invalide certificate in the middle.
Let us simply enforce inbound / outbound STARTTLS and MX certificate validation, shall we?
As an email user, you can mention that your email is secured by referring to this page, for example as user@example.net (STARTTLS).
As a postmaster, you can link to this page to make clear to other postmasters they need to enable crypto.
530 5.7.0 Must issue a STARTTLS command first (https://nethence.com/smtp/)
As an MX:
As an outbound MTA:
THE SAD STATE OF SMTP ENCRYPTION https://blog.filippo.io/the-sad-state-of-smtp-encryption/
A system for ensuring & authenticating STARTTLS encryption between mail servers https://github.com/EFForg/starttls-everywhere
POSTFIX AND STARTTLS https://pub.nethence.com/mail/postfix-tls
Let’s tune our cipher suites https://pub.nethence.com/security/ciphers
Strong Ciphers (see Other Software section) https://syslink.pl/cipherlist/
Applied Crypto Hardening https://bettercrypto.org/