I have now configured my mail server to provide an MTA-STS policy for inbound message encryption. I already had DANE set up, but some providers only use MTA-STS.
The only real difficulty I encountered was that my SMTP server needed to present the entire certificate chain to mail senders; otherwise, some of them (Google, at least) would fail to verify the certificate.
#SMTP #MailServer