Hello! It seems it could be better, if Runbox implements the following tips:
Enable the support of the TLS 1.3 on both mail servers and web servers. This protocol is already supported in GnuTLS and Openssl. The protocol could reduce the performance impact of traffic encryption on servers. Also an OCSP stapling could improve the performance.
Runbox already implemented the HSTS policy, but it can be improved by turning it on for all the subdomains of Runbox (includeSubDomains). Due to that, currently Runbox’s website can’t be applied to be preloaded in strict HTTPS in all major web browsers. Turning on the includeSubDomains policy would make it allegeable to be preloaded in all web browsers. See this