Some mail servers (MX hosts) have associated TLSA records with certificate usage 2 (DANE-TA) that match the just retired Let's Encrypt issuer CA ("X3"). All Let's Encrypt users publishing DANE-TA(2) TLSA records need to update their TLSA records to publish records that match the current intermediate issuer CAs.

In more detail, there are multiple Let's Encrypt issuer certificates that may be used in automated certificate renewals: two primary certificates ("R3" and "E1") and their emergency backups ("R4" and "E2"). Thus, SMTP server operators using DANE-TA(2) with Let's Encrypt certificates must publish the following list of TLSA records (possibly in addition to "3 1 1" records matching the server public key) for each of their MX hosts in order to prevent delivery failures:

CA tagRecommended TLSA Records to match Let's Encrypt issuer CAs
X3_25._tcp.each.mx.host. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
E1_25._tcp.each.mx.host. IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
E2_25._tcp.each.mx.host. IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
R3_25._tcp.each.mx.host. IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
R4_25._tcp.each.mx.host. IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03

The "X3" hash is no longer needed, all certificates issued via "X3" have now expired, and all replacements are using "R3" or "E1".

MX hosts whose TLSA records include only the "X3" digest will shortly be unable to receive email from sending systems that perform DANE validation.

Please avoid issuer TLSA records with selector Cert(0), i.e. "2 0 1" and "2 0 2". These are much more fragile, and worse, "R3" and "R4" are cross-signed by two different issuers, so there are two differnt full cert hashes for R3 and R4, but just one underlying public key and corresponding "2 1 1" hash.

e/div>

The MX host table below is sorted to list hosts that serve the most domains at the top.

signed domainshost name
19mx1.dtsi.eu
17smtp.astrath.net
16web1.ams.dcg.t-host.net
14mx1.mxspamfilter.de
11artemis.strebsjig.net
11mail1.zillner.it
10mail.fortweg.de
9mail.7ujm.de
9mail2.7ujm.de
8mail.argantiu.de
8mx2.mxspamfilter.de
7mail.amberger.it
6web01.as49697.net
5hbackup.amberger.it
5mail.bronk.de
5mx1.nerdpol.org
4email.anzuenden.jetzt
4mail.genano.de
4mail.region46.de
4mail.tuxit.be
4mx.boxencrypt.com
3mail.cursed.space
3mail.delorus.de
3mail.devshm.de
3mail.hr2server.de
3mail.medien-selber-machen.de
3mail.piratenexus.com
3mail.zephos.de
3prod-demo000.zivver.net
3renato.ni-re.net
3rhodos.arminpech.de
3tolstoi.wkraft.org
3vps-s.laussat.de
3win.uwe.wtf
2delorus.de
2fenrir.karwasz.org
2hal.ws-team.de
2hermine.thw-hermeskeil.de
2j5y.de
2mail.agilitasus.net
2mail.ahrain.net
2mail.fobul.net
2mail.ls-srv.de
2mail.mental.cash
2mail.planet4nerds.de
2mail.pleijster.nl
2mail.syndace.com
2mail.zoopnet.de
2munchen.trost.se
2mx-dc03.ewodi.net
2mx.logtenberg.eu
2polaris.microscopium.de
2prokyon.microscopium.de
2prometheus.mareo.fr
2smtp-de.adviser.com
1adblockextreme.com
1ani-man.de
1ax1.keerl-it.com
1bmx.mischke.it
1box.mweho.xyz
1bruno.faust.nom.br
1cb.100ny.net
1curve.hertzkurve.de
1et-inf.de
1glasgestaltung.biz
1gorki.wkraft.org
1gorterit.nl
1kif.lord.re
1mail-in.bundy-dns.de
1mail-inbound01.sysactive.email
1mail.adeline.mobi
1mail.ahmed-internet.cyou
1mail.black-box.org
1mail.bmaehr.com
1mail.checkpointwizard.nl
1mail.compusolutions.nl
1mail.cphpvb.net
1mail.creditplace.be
1mail.dekerkvantoen.nl
1mail.dimensionhosting.nl
1mail.dm4productions.com
1mail.dus.net
1mail.equipementshoreca.be
1mail.estroh.com
1mail.gamerangerz.de
1mail.humanelement.it
1mail.in42.de
1mail.istar-link.com
1mail.istu.edu
1mail.j45p3r.de
1mail.ji3g4go6.com
1mail.johannesmeyers.nl
1mail.libraoptima.eu
1mail.lukysek.cz
1mail.make24.io
1mail.markterweele.nl
1mail.mijnblog.nl
1mail.mochikabu.com
1mail.mueller-benedikt.de
1mail.nascloud.org
1mail.osdeployments.com
1mail.pambo.de
1mail.picordi.fr
1mail.plevenlab.org
1mail.pogoraid.nl
1mail.protected-networks.net
1mail.ralix.net
1mail.ray-works.de
1mail.ruttentuttels.nl
1mail.samundsarah.de
1mail.sccmbeheerder.nl
1mail.sccmblog.nl
1mail.sccmspecialist.nl
1mail.shaizen.net
1mail.snaphome.net
1mail.teratorium.email
1mail.uptheinter.net
1mail.usys.sg
1mail.voordejeugd.nl
1mail.waehlefamilie.de
1mail.webuiltje.eu
1mail.wiggershaus.net
1mail.wollmann.it
1mail.wyzer.cl
1mail1.andreas-lemcke.de
1mail1.cotter.de
1mail1.kleinerfalter.de
1mail1.reischauer.net
1mail1.sasel.org
1mail1.saselit.de
1mail1.saselsoft.de
1mail1.tollemenschen.de
1mail1.wingsturlaub.de
1mail2.andreas-lemcke.de
1mail2.anny-semperfi.com
1mail2.cotter.de
1mail2.dasprofil.net
1mail2.heinz-w-albert.de
1mail2.kf-events.de
1mail2.kleinerfalter.de
1mail2.reischauer.net
1mail2.sasel.org
1mail2.saselit.de
1mail2.saselsoft.de
1mail2.scharwaechter-reinbek.de
1mail2.tollemenschen.de
1mail2.usys.sg
1mail2.vitanyi.de
1mail2.wingsturlaub.de
1mcplayman.de
1mrkrabat.de
1mta.nci.com.es
1mx-01.nakene.com
1mx.demi.cloud
1mx.densus88.id
1mx.iomaestro.net
1mx.janisluenne.de
1mx.schaltstube.de
1mx.shellshock.eu
1mx01.gcsfb.de
1mx01.skyforge.at
1mx1.finalhosting.cz
1mx1.kuhmunity.space
1mx1.us-east.qwop.net
1mx1.us-west.qwop.net
1mx2.demi.cloud
1neverwasinparis.com
1nextiot.de
1nextrus.info
1pelargir.athemis.de
1plesk.247guide.nl
1relay.istu.edu
1relay2.istu.edu
1smtp.gmk.net.pl
1smtp.jvangent.com
1smtp.jvangent.nl
1smtp.picordi.fr
1smtp.vdlaken.eu
1smtp2.jvangent.com
1smtp2.jvangent.nl
1smtp2.strotmann.de
1teleskop-seite.de
1theeboon.net
1thestoneage.de
1velociraptor1.cschenk.net
1velociraptor2.cschenk.net
1vps1.kobezda.net
1wakko.elb.net
1webmail.basarnas.go.id
1yakko.elb.net