Encryption involves prorotol (TLS version), initial key exchange method, cipher suite for use after key exchange, and MAC algorithm to verify packet integrity.  Outbound, SM also requires a verifiable certificate.  So the problem can be a mismatch on those other options.  Sorry, but for inbound traffic, I am at a loss how to detect what setting created the problem.

We still receive TLS 1 traffic from important sources, so we allow weak TLS inbound, and we have not locked down those other settings aggressively.  Admittedly, that leaves all senders more vulnerable to a man in the middle attack., but what else to do?   In theory, a sender could detect and correct for encryption setup failures by switching to plaintext, but I have no confidence that senders will do so. More likely, they will just keep trying and repeating the failure. Hence, I take what they offer.

Outbound, we use a gateway that enforces TLS and valid certificates, but can redirect to secure web relay for destinations that do not meet our requirements.