A customer tries to determine the security around using AEM (Forms) with e-mail via Office 365 SMTP server.
One question remained open:
AEM Forms uses Day CQ Mail Service which utilizes JavaMail API to handle sending emails. JavaMail provides two options for using STARTTLS: mail.smtp.starttls.enable and mail.smtp.starttls.required . In case if only first option is enabled, documentation informs that the connection continues without use of TLS, which may mean it can be not secure enough for the customers standards.
STARTTLS.ENABLED is available via AEM configuration, .REQUIRED is not.