When you configure your MTA-STS policy to 'enforce' and your MX doesn't present a valid certificate for its domain, email delivery will be halted. This is the intended behavior of MTA-STS. However, if there are temporary issues with your MX, the sending MTA will attempt delivery again later, typically preventing any major disruptions.

This can happen if you are migrating from one email hosting provider to another and you forget to update your MTA-STS policy prior to migration.