If the server claims to understand TLS (ehlo answer contains TLSSTART) but defers an mail sent by TLS with 400 SMTP error, the Continuity Service must fail.
Reason: on a defer or timeout of the target server the mails are immediately redirected to the Continuity Service account. From there, if the re-delivery with TLS fails again with a 400 SMTP error or timeout the mail stays in the Continuity Service account because it is assumed that the server still does not work.
As the 4xx errors are not identical with every mail system it is impossible to differentiate between TLS delivery timeout, no resources, mailbox full and so on. So if a 4xx error is answered during sending the mail the Continuity Service does its job by storing the mail in its accounts.
Every other situation (e.g. only SMTP instead of TLS is possible, TLS will work correctly after a while) will result in delivering the mails to the target server.