S2S uses TLS or not


Even after changing from a self signed to a third party signed (StartSSL) certificate my S2S connections dont seem to be encrypted.

Depending on the remote domain in the Admi gui I see that some remote domains dont show a lock for neither incoming nor outgoing (gmail.com for example ) but some do show at least in one direction a lock. (gmx.com for example)

The xmpp domain is the same as the hostname of the server like aa.bbb.com

Do I really have to put some SRV records into DNS to get it working?