STARTTLS considered harmful

STARTTLS was initially much easier to implement. No change to any infrastructure, just additional functionality on the application level in form of a backward compatible protocol extension. Very elegant - until you face the details and pitfalls.

Also, keep in mind that TLS for SMTP is inherently weaker than TLS for HTTP due to the MX indirection: Unless the MX record is protected via DNSSEC a man-in-the-middle attacker can bypass even implicit TLS by manipulating the MX query result. This is why "opportunistic encryption" was a thing in the first place and encryption without certificate verification still is a thing in the SMTP world.

This has led to constructs like MTA-STS or DANE where either the stronger guarantees of HTTPS are used or DNSSEC is required.