From what I can gather, SPF and DKIM are in the mail headers. What is an easy way to check that TLS is working correctly?
There should be TLS mentioned in the headers too. In the Received line.Looking into the header of your mail shows TLSv1.2 was used to connect to mx-in.poolp.org. But not between the systems coming before that.
You can also look into the mail.log and see lines like tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
