Top contenders:
Mailfence - Belgian, e3.50/mo
Mailbox.org - German, e3/mo; e1/mo plan only allows custom domain for "team accounts" (more than one account? does the first one have to do the e3 plan?)
Posteo - German, no personal domains
Runbox - Norwegian, inexpensive
Soverin: Dutch, € 3.25/mo
Protonmail or Kolab - Swiss, a bit steep; Protonmail e4.00/mo paid annually
Infomaniak: e1.50/mo (..?)
Pobox: US-based, seems like only the expensive account is for custom domains
Msgsafe.io: defunct
Countermail: Swedish, ~$4/mo
Disroot: Dutch, free but requires donation to use custom domain
Spaceship may not be super-private, but it's economical and US-based
Porkbun: Oregon, $24/year but only 20 max addresses
MTA-STS (full name SMTP Mail Transfer Agent Strict Transport Security) is a new standard that aims to improve the security of SMTP by enabling domain names to opt into strict transport layer security mode that requires authentication (valid public certificates) and encryption (TLS). In this blog post we discuss why MTA-STS exists and how it's used, as well as announce full support for its most recent draft in Hardenize.
Looks like the secret sauce is DANE, a.k.a. opportunistic TLS.
In 2022, enabling it seems to help with getting filtered as spam by Google servers.
I just put addresses in the file specified by check_recipient_access with REJECT
getting mail lists and DKIM to play together
Gotta have transit encryption, at least, where supported.