Encryption involves prorotol (TLS version), initial key exchange method, cipher suite for use after key exchange, and MAC algorithm to verify packet integrity. Outbound, SM also requires a verifiable certificate. So the problem can be a mismatch on those other options. Sorry, but for inbound traffic, I am at a loss how to detect what setting created the problem.
We still receive TLS 1 traffic from important sources, so we allow weak TLS inbound, and we have not locked down those other settings aggressively. Admittedly, that leaves all senders more vulnerable to a man in the middle attack., but what else to do? In theory, a sender could detect and correct for encryption setup failures by switching to plaintext, but I have no confidence that senders will do so. More likely, they will just keep trying and repeating the failure. Hence, I take what they offer.
Outbound, we use a gateway that enforces TLS and valid certificates, but can redirect to secure web relay for destinations that do not meet our requirements.