In the documentation for mail client configuration, STARTTLS and TLS configurations are shown, with STARTTLS listed first. While no explicit recommendation is made, the placement slightly implies preference. In any case, I suggest adding a mention that STARTTLS should not be used if TLS is known to be available.

STARTTLS is just an opportunistic encryption mechanism which tests at the initiation of each connection whether TLS is available. If this fails for any reason, it will by design downgrade to an unencrypted connection.

https://mailcow.github.io/mailcow-dockerized-docs/client/client-manual/
https://github.com/mailcow/mailcow-dockerized-docs/blob/master/docs/client/client-manual.md

This recommendation is currently made by, for example, Riseup: https://riseup.net/en/email/clients

On port 587, Mailcow enforces STARTTLS. If the client doesn‘t use it, Mailcow will refuse to let the client authenticate.