We are using the SendGrid API to send sensitive email to an Office365 hosted email address. Both services use opportunistic TLS by default, which would in turn make you believe that the email is always going to be encrypted with TLS.
What I'm trying to establish is this enough to assure a client that the TLS email encryption is guaranteed? or do we need to setup enforced TLS in SendGrid? (the con of the later is we then need a mechanism in place to check for emails that have been blocked in the very unlikely event TLS encryption could not be negotiated, which in turn is additional work for us).
Here is some of the information we have been looking at:
Thanks