In multiple MX situations or if you're not sure if your DNS is working yet, it is hard to test if a specific server has its TLS done correctly. It would be helpful to separate the hostname used in --verify-tls from the hostname given by -s so that a specific server can be targetted with -s.

openssl lets you do this, but it's arcane:

echo QUIT | timeout 30 openssl s_client -quiet -no_ign_eof -connect "$ip":25 -starttls smtp -verify_hostname "$mx" -verify_return_error 2>/dev/null

swaks has timeouts built in and consistent I/O choices, but the closest I can get to this specific command, unless I've misread something, is

swaks -s "$mx" -tls --tls-verify -quit "HELO"

Being able to do something like

swaks -s "$ip" -tls --tls-verify --tls-verify-hostname "$mx" -quit "HELO"

would make pinpointing deployment issues easier.

This is a very niche issue, and I wouldn't be surprised if you think it's out of scope for swaks! It's already been very helpful in its current form.