1- you can set the encryption to AES- <bitlength> and while both are secure, the AES is a newer algo and supercedes DES, and longer bit length makes it take longer to brute force decrypt. Think billion years instead of million years. there is a little more overhead, but with just one site to site, it shouldn't load the router much.
2- you can do syslog on this device and send the messages to a syslog server. or if you are using google for your mail, they have an unencrypted smtp portal, instructions here...
If your device or application does not support SSL - connect to aspmx.l.google.com on port 25.
You must configure an SPF record for your domain with the IP address of the device or application to ensure that recipients do not reject mail sent from it. You must also add this IP address to the Email Whitelist box in your Google Admin console. For example, if your sending device sends from 18.104.22.168, add that address to your SPF record without removing the Google Apps mail servers from the record: v=spf1 ip4:22.214.171.124 include:_spf.google.com ~all
3- PFS is perfect forward secrecy, and allows the handshake to be slightly more secure (needs to be enabled on both sides), and prevents reuse of encryption keys. http://en.wikipedia.org/wiki/Forward_secrecy