Understanding how TLS is applied in both directions can help administrators better secure their mail infrastructure and configure SMG accordingly.

Outbound Messages:
These are typically sent from your internal mail servers. If the "Accept TLS encryption" option is enabled for outbound traffic, SMG will advertise STARTTLS during the SMTP session when your internal servers initiate a connection. Whether the message is encrypted depends on your mail server's configuration. SMG cannot enforce TLS for messages coming from local domains.

Inbound Messages:
These originate from external domains on the Internet. If "Accept TLS encryption" is enabled for inbound traffic, SMG will advertise STARTTLS for all inbound SMTP sessions. It is up to the external mail server to decide whether to use encryption. However, for external (non-local) domains, you can enforce TLS by going to Protocols > Domain, adding the external domain, and enabling the option "Reject mail from this domain if not using TLS."

For more details how to enforce TLS encryption, refer to the following article:
How to enforce TLS inbound from and outbound to a specific external domain