My understanding of Office 365 is that it is opportunistic TLS meaning if the sender and receiver accept TLS messages then the message goes TLS. If either party does not accept TLS then it will fall back to clear text in order to ensure the highest capability with other mail systems.
My question is how do I get an idea of how much of our email is being sent in clear text? I would also like to know what domains we sent to that are not accepting TLS email? Then we can either reach out to them and complain or make a decision to block that domain. I realize I could change my connectors to enforce TLS instead but I believe that will dump to much mail.
My follow up question would be if I have a specific domain that I need to ensure TLS is used, I can create a new connectors for that domain and enforce TLS on that domain specifically. Do we have any kind of alerting or monitoring that can be done on that connection to be notified that something is wrong with the TLS communication? What I don't want is the end-user finding out first that either MSFT or a high value partner is having a mail flow issue before we in IT know.