STARTTLS is an SMTP command that upgrades a plaintext mail connection to an encrypted TLS one. A receiving mail server advertises STARTTLS in its capabilities; a sending server issues the command and, if it succeeds, the rest of the conversation — including the message — is encrypted.
Opportunistic by default
Classic server-to-server mail on port 25 uses STARTTLS opportunistically: TLS is used if offered, but the sender falls back to plaintext if STARTTLS is missing or the handshake fails. That fallback is silent, which is why a network attacker can strip STARTTLS and downgrade the connection.
Closing the gap
MTA-STS and DANE turn opportunistic TLS into required TLS: they let a domain declare that senders must use STARTTLS with a valid certificate, so a stripped or mismatched connection is refused rather than silently downgraded.
What a healthy mail host looks like
STARTTLS offered on every MX host, a certificate that is in date, issued by a trusted CA, and matches the host name, and a negotiated TLS version of 1.2 or 1.3. This tool checks each of those for you.