E-mails sent over the Internet use the SMTP protol for the most part. SMTP is older than the HTTP protocol, and like HTTP it was not developed with encryption and data privacy in mind. As the online environment changed and called for more secure e-mail transit, STARTTLS was developed to add a layer of security to protocol.
STARTTLS provides for hop-to-hop encryption that means e-mails are not sent in plaintext in transit. It should be noted that STARTTLS does not encrypt the e-mail on the server itself, just while in transit.
While STARTTLS is deployed on most mailservers these days, unfortunately it is not always configured properly and has some problems. The EFF notes that most do now not validate certificates. Just like in HTTPS, certificates are what a server uses to prove it really is who it says it is. Without certificate validation, an active attacker on the network can get between two servers and impersonate one or both, allowing that attacker to read and even modify emails sent through your supposedly "secure" connection.
There is also a problem called the "downgrade attack" in which the sending e-mail server's request to send over a secure channel is simply filtered out entirely, resulting in both the sending and receiving servers assuming that the other doesn't support STARTTLS.
STARTTLS Everywhere attempts to address all of these issues. It is software that a sysadmin can run on an email server to automatically get a valid certificate from Let's Encrypt. This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers.
Additionally, STARTTLS Everywhere includes a "preload list" of email servers that have promised to support STARTTLS, which can help detect downgrade attacks.
If you want to read more about STARTTLS Everywhere, you can do so here.
Written by: James Delahunty @ 27 Jun 2018 7:27