Currently xendmail uses STARTTLS with no fallback.
I should change it to use SMTP with implicit TLS and only use STARTTLS is the former is not available (and maybe warn about this...?).
A downside is that using STARTTLS will be a bit slower, and my DNS records are only set up for STARTTLS, so that should be fixed too.
That aside, the resolution algorithm needs to distinguish between: