SpamHero uses a multi-domain/wildcard SAN certificate which supports strict TLS certificate matching.
SpamHero provides opportunistic TLS encryption so that email communications between mail servers will be encrypted where possible. That means that when a sender uses TLS encryption to send email to a domain that is using SpamHero filtering, we will also attempt to use TLS encryption to deliver filtered mail to the final destination server.
You can setup a policy that instructs senders to only deliver mail to your domain over a TLS connection. However, the policy is only enforced by senders that support MTA-STS. For more details, see: Advanced Email Security with MTA-STS