It seems to me that Oauth weakens security. You allow some other system into your system.
Are you running your own email server? I see you are using Gmail for the listserv.
If you run your own server there are other steps I would take first other than MFA, though MFA would be the best. Geofencing alone reduces the attack pathways.
My server is set up so only 25 sees the entire internet. All other email ports are behind a geofence and a rather large blocking list I have built up over the years of VPS, hosting companies, etc. I'm using 587.
I see very little attempts to hack my email server. If I wanted to go the next level up I would use fail2ban. But that would be to cut down chatter in the log file. No bot or person is going to crack my password. It is high entropy. Server passwords are not in clear text.
With the world of ransomware as it is today (aka attacks seem more vicious and commonplace), anything I expose to WAN must have additional protection. I've seen a few posts to this list on it. The only thing that helped was that Dovecot supports OAuth. Through OAuth I figure I could implement MFA. However, I'd have to host my own identity server. From there, Thunderbird supports OAuth so that should work.
Since this is getting increasingly complicated, I wanted to ask before going further. What do you all do? Any recommendations?