I’m not sure why that site is replying with those results. If you look at hardenize.com, you can see it is a clean report.
I also reran the test on internet.nl and it shows the correct results when I ran it. I’m unsure why when you ran it, it didn’t show a lot of those protocols showing up.
The github issue mentioned that it was acceptable to have SES as long as there is a plan to deprecate and this is also reflected in the listing criteria.
However, I personally believe this is minimal risk as our servers with TLS 1.2 and ciphersuites are prioritized over SES. The SES server should only be used if our primary server is down as mentioned in the comment. This is also mitigated that email clients (sending servers in this case) will negotiate the highest possible TLS and cipher available to it and the server (Skiff’s mailserver in this case).
I believe that this poses a minimal risk to users but acknowledge that downgrade attacks can happen. For this reason, we have a plan over the next 3-6 months to deprecate SES as a backup solution.
I agree on the ciphersuite ordering issue and security.txt. I’ll get the security.txt in this week but hopefully sometime tomorrow along with the ciphersuite changes. Appreciate the help here!