diff --git a/CHANGELOG.md b/CHANGELOG.md
index ac9ea75b..df9c6987 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,14 +8,14 @@ All notable changes to this project will be documented in this file. The format
 
 ### Features
 
-  - **Authentication with OIDC / OAuth 2.0** 🎉
-    - DMS now supports authentication via OAuth2 (_via `XOAUTH2` or `OAUTHBEARER` SASL mechanisms_) from capable services (_like Roundcube_).
+- **Authentication with OIDC / OAuth 2.0** 🎉
+  - DMS now supports authentication via OAuth2 (_via `XOAUTH2` or `OAUTHBEARER` SASL mechanisms_) from capable services (_like Roundcube_).
     - This does not replace the need for an `ACCOUNT_PROVISIONER` (`FILE` / `LDAP`), which is required for an account to receive or send mail.
     - Successful authentication (_via Dovecot PassDB_) still requires an existing account (_lookup via Dovecot UserDB_).
-  - Optional support for mandatory outgoing TLS encryption with MTA-STS
-    - ENV `ENABLE_MTA_STS`
-    - If enabled and the recipient has a MTA-STS policy set, TLS is mandatory for that recipient.
-    - Supported by major email hosters like Gmail, Yahoo and Outlook.
+- **MTA-STS** (_Optional support for mandatory outgoing TLS encryption_)
+  - If enabled and the outbound recipient has an MTA-STS policy set, TLS is mandatory for delivering to that recipient.
+    - Enable via the ENV `ENABLE_MTA_STS=1`
+    - Supported by major email service providers like Gmail, Yahoo and Outlook.
 
 ### Updates