diff --git a/mtastsdb/db.go b/mtastsdb/db.go
index d649b607ba..efd9835b77 100644
--- a/mtastsdb/db.go
+++ b/mtastsdb/db.go
@@ -233,6 +233,7 @@ func Get(ctx context.Context, resolver dns.Resolver, domain dns.Domain) (policy
 			switch {
 			case errors.Is(err, mtasts.ErrNoRecord) || errors.Is(err, mtasts.ErrMultipleRecords) || errors.Is(err, mtasts.ErrRecordSyntax) || errors.Is(err, mtasts.ErrNoPolicy) || errors.Is(err, mtasts.ErrPolicyFetch) || errors.Is(err, mtasts.ErrPolicySyntax):
 				// Remote is not doing MTA-STS, continue below. ../rfc/8461:333 ../rfc/8461:574
+				log.Debugx("interpreting mtasts error to mean remote is not doing mta-sts", err)
 			default:
 				// Interpret as temporary error, e.g. mtasts.ErrDNS, try again later.
 				return nil, false, fmt.Errorf("lookup up mta-sts policy: %w", err)
diff --git a/smtpclient/client.go b/smtpclient/client.go
index 271c7137bb..acbab04d16 100644
--- a/smtpclient/client.go
+++ b/smtpclient/client.go
@@ -509,7 +509,7 @@ func (c *Client) hello(ctx context.Context, tlsMode TLSMode, remoteHostname, aut
 
 	// Attempt TLS if remote understands STARTTLS or if caller requires it.
 	if c.extStartTLS && tlsMode != TLSSkip || tlsMode == TLSStrict {
-		c.log.Debug("starting tls client")
+		c.log.Debug("starting tls client", mlog.Field("tlsmode", tlsMode), mlog.Field("servername", remoteHostname))
 		c.cmds[0] = "starttls"
 		c.cmdStart = time.Now()
 		c.xwritelinef("STARTTLS")
@@ -556,7 +556,7 @@ func (c *Client) hello(ctx context.Context, tlsMode TLSMode, remoteHostname, aut
 		c.w = bufio.NewWriter(c.tw)
 
 		tlsversion, ciphersuite := mox.TLSInfo(nconn)
-		c.log.Debug("tls client handshake done", mlog.Field("tls", tlsversion), mlog.Field("ciphersuite", ciphersuite))
+		c.log.Debug("tls client handshake done", mlog.Field("tls", tlsversion), mlog.Field("ciphersuite", ciphersuite), mlog.Field("servername", remoteHostname), mlog.Field("insecureskipverify", tlsConfig.InsecureSkipVerify))
 
 		hello(false)
 	}