Protect email with a secure protocol

If you use cloud services like Microsoft O365 or Google G-Suite, TLS is already set.

If you manage your servers yourself you must configure TLS on all your servers.
You need to pay attention to your encryption certificate and to configure your servers to use v1.3 when available, and fall back on less secure protocols when not (forcing servers).
When two mail servers communicate they are using SMTP. The mail servers are called MTA for Mail Transfer Agents and they will issue a 'STARTTLS' command when initiating a secure SMTP communication.
STARTTLS may be subject to man-in-the-middle attacks so it might be good to be sure that the organizations you're the most communicative with also have TLS1.3 implemented.
You must configure your server so that they will prefer to use TLS1.3 but that they can still communicate less secure protocols like TLS1.2 or SSL.
Because TLS needs a valid X.509v3 certificate to establish a connection, your certificate must be signed by a trusted authority.
You may also use S/MIME standard for email encryption.