Is it possible to determine whether an email I received was sent over TLS?

Question

I am reviewing the settings for the mail sending service an application I'm working on uses (the service is a mailchimp acquisition called Mandrill).

I want to ascertain, when I send a test email to myself (at gmail.com) from this service, whether the traffic between mail servers uses TLS. I have access to the email that was sent to me (I have included headers below).

I plan to ask the vendor whether they support this feature, but I also wish to find out if I can verify what they tell me personally.

Delivered-To: recipient-local@gmail.com
Received: by 10.79.123.142 with SMTP id k136xxxxxxxxxxxx;
        Tue, 5 Jul 2016 07:29:11 -0700 (PDT)
X-Received: by 10.37.97.11 with SMTP id v11mxxxxxxxxxxxx.36.14nnnnnnnnnnn;
        Tue, 05 Jul 2016 07:29:11 -0700 (PDT)
Return-Path: <bounce-xxxxxxx@mandrillapp.com>
Received: from mail180-123.mandrillapp.com (mail180-123.mandrillapp.com. [a.b.c.d])
        by mx.google.com with ESMTPS id mmmmmmmmmmm.nnn.2016.07.05.07.29.11
        for <recipient-local@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 05 Jul 2016 07:29:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce-xxxxxxx@mandrillapp.com designates a.b.c.d as permitted sender) client-ip=a.b.c.d;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mail180-123.mandrillapp.com;
       dkim=pass header.i=@mandrillapp.com;
       spf=pass (google.com: domain of bounce-xxxxxxx@mandrillapp.com designates a.b.c.d as permitted sender) smtp.mailfrom=bounce-xxxxxxx@mandrillapp.com;
       dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill; d=mail180-123.mandrillapp.com;
 h=From:Sender:Subject:Reply-To:To:Message-Id:Date:MIME-Version:Content-Type; i=sender@mail180-123.mandrillapp.com;
 bh=xxxxxxxxxxxxxxxxxxxxxxx+8fQ=;
 b=n+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxx+Z+tSJV/zEtr
   xxxxxxxxx+xxxxxx+xxxxxxxxxxxxxxxxxxxxxx/xxx/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxx
   xxxxxxxxxxxxxxxxxxx=
Received: from pmta03.mandrill.prod.suw01.rsglab.com (127.0.0.1) by mail180-123.mandrillapp.com id xxxxxxxxxxxx for <recipient-local@gmail.com>; Tue, 5 Jul 2016 14:29:11 +0000 (envelope-from <bounce-xxxxxxx@mandrillapp.com>)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com; 
 i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1467728951; h=From : 
 Sender : Subject : Reply-To : To : Message-Id : Date : MIME-Version : 
 Content-Type : From : Subject : Date : X-Mandrill-User : 
 List-Unsubscribe; bh=xxxxxxxxxxxxxxxxxxxxxxxx+xxxxxxxxxxxxxxxxxx=; 
 b=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
From: recipient <recipient@gmail.com>
Sender: recipient <sender@mail180-123.mandrillapp.com>
Subject: =?utf-8?Q?Subject
Return-Path: <bounce-xxxxxxx@mandrillapp.com>
Received: from [208.nnn.nnn.nnn] by mandrillapp.com id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; Tue, 05 Jul 2016 14:29:11 +0000
Reply-To: <recipient@gmail.com>
To: ClientSeq ClientMcD <recipient-local@gmail.com>
Message-Id: <nnnnnnnn.nnnnnnnn142911.nnnnnnnn1aadf2.nnnnnnnn@mail180-123.mandrillapp.com>
Date: Tue, 05 Jul 2016 14:29:11 +0000
MIME-Version: 1.0

Answer 1

The mention of TLS in the line

Received: from [...] (mail180-123.mandrillapp.com. [...])
          by mx.google.com with ESMTPS [...]
          (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);

makes it very clear that the connection from Mandrill to GMail was indeed TLS-protected.

The same is true for the very fact that ESMTPS (secure ESMTP) was listed as transport, see RFC 3848.