DANE-TA(2) TLSA records for Let's Encrypt CAs

Some mail servers (MX hosts) have associated TLSA records with certificate usage 2 (DANE-TA) that match one of the retired Let's Encrypt issuer CAs. The retired CAs include:

All certificates issued to DANE MX hosts by the "X1", "X2", "X3" and "X4" intermediate issuing CAs have long ago expired. As of 2024-09-03, so have those issued by the "R3", "R4", "E1" and "E2" issuing CAs. Finally, as of 2025-11-18, so have those issued by "R10", "R11", "E5" and "E6".

See below for the list of associated "2 1 1" records to avoid.

Please note that additional changes are planned at Let's Encrypt, with new root and intermediate CAs to be phased in by June 2026. See the announced plans and new issuer details. You should monitor your systems carefully, keep informed of changes at Let's Encrypt, and be sure to publish updated TLSA records prior to deployment of certificates from the new CAs.

When you do publish TLSA records matching a Let's Encrypt issuing CA, make sure to publish the full set of records for ALL the related CAs:

For the RSA "R12" or "R13" CAs, include both, their backup "R14", and "YR1"–"YR3".
For the ECDSA "E7" or "E8" CAs, include both, their backup "E9", and "YE1"–"YE3"..
For the root "ISRG Root X1" or "ISRG Root X2" trust anchors, include both, plus the upcoming "ISRG Root YR" and "ISRG Root YE". (see additional requirements for TLSA records matching root CAs below).

All Let's Encrypt users publishing DANE-TA(2) TLSA records need to update their TLSA records to publish records that match the intermediate issuer CAs that issued their current certificate and to pre-publish records for upcoming CAs if the current issuer is no longer active.

If your server's private and public keys are RSA keys, you can publish TLSA records matching just the "R*" CA public keys, and with ECDSA keys, just the "E*" CA public keys. If your server has both RSA and ECDSA keys, you'll need to publish TLSA records matching both the "R*" and "E*" issuer CAs. You can't rely on certificate renewal always using the same intermediate CA as before, or that the backup issuers might not be used instead. Therefore, list all "R*" and/or "E*" records. See the tables below for details.

Thus, SMTP server operators using DANE-TA(2) with Let's Encrypt certificates must publish the applicable groups of TLSA records from the below (possibly in addition to "3 1 1" records matching the server public key) for each of their MX hosts in order to prevent delivery failures.

CA tag	Active RSA issuer CAs
R12	_25._tcp.each.mx.host. IN TLSA 2 1 1 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4
R13	_25._tcp.each.mx.host. IN TLSA 2 1 1 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d
R14	_25._tcp.each.mx.host. IN TLSA 2 1 1 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888
YR1¹	_25._tcp.each.mx.host. IN TLSA 2 1 1 2e8307068b6db620e4a39d068b5dee5d6ef5788cbb2c0b6d23ead84fcc17178c
YR2¹	_25._tcp.each.mx.host. IN TLSA 2 1 1 9d637b3d27a9e570d07607b9ccadb80a70915c7af72afce12841b1b1da825fd1
YR3¹	_25._tcp.each.mx.host. IN TLSA 2 1 1 51aaa87d984b559ac69e929f888a022d832e089ff4dba0a412b5101bca4bc799

¹Slated to replace R12, R13, R14 by June 2026.

CA tag	Active ECDSA issuer CAs
E7	_25._tcp.each.mx.host. IN TLSA 2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75
E8	_25._tcp.each.mx.host. IN TLSA 2 1 1 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5
E9	_25._tcp.each.mx.host. IN TLSA 2 1 1 f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2
YE1²	_25._tcp.each.mx.host. IN TLSA 2 1 1 6ebcefb4210b088654a38b03fea3d7d1c711b4fb1ddc363a45f9b1a4e53da01e
YE2²	_25._tcp.each.mx.host. IN TLSA 2 1 1 b3fb5d00e994cddf2cc9a4eea9f806bc5727e83cc0e4299bf956f2d524fe5376
YE3²	_25._tcp.each.mx.host. IN TLSA 2 1 1 a698a20824be04e47a1a33c4fa488731be92011f23a31e900e2ca26c9c2acfce

²Slated to replace E7, E8, E9 by June 2026.

Any other "2 1 1" records that were once associated with Let's Encrypt SHOULD NOT be used. They can't possibly match an unexpired certificate, and are just bloat in DNS TLSA lookup results, and an unnecessary security risk (if the obsolete keys are compromised). These include:

CA tag	Retired issuer CAs to avoid
X1/X3	_25._tcp.each.mx.host. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
X2/X4	_25._tcp.each.mx.host. IN TLSA 2 1 1 b111dd8a1c2091a89bd4fd60c57f0716cce50feeff8137cdbee0326e02cf362b
R3	_25._tcp.each.mx.host. IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
R4	_25._tcp.each.mx.host. IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
R10	_25._tcp.each.mx.host. IN TLSA 2 1 1 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba
R11	_25._tcp.each.mx.host. IN TLSA 2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7
E1	_25._tcp.each.mx.host. IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
E2	_25._tcp.each.mx.host. IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
E5	_25._tcp.each.mx.host. IN TLSA 2 1 1 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8
E6	_25._tcp.each.mx.host. IN TLSA 2 1 1 d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7

For the Let's Encrypt CAs, please also avoid all TLSA parameter combinations other than "2 1 1", with an associated SHA2-256 digest of the CA public key (not the full certificate).

MX hosts whose TLSA records include only inactive CA key digests are no longer able to receive email from sending systems that perform DANE validation.

TLSA records for root CAs

With a bit of care, one can instead publish TLSA records matching one of the "ISRG X1" or "ISRG X2" root CAs, but one then has to carefully ensure that the root CA certificates are appended to the server's chain file (not the case with chain files produced by, e.g., certbot), so the ACME chain file may require post-processing before it is configured as the MTA's certificate chain. The root CA public key hashes are:

CA tag	ISRG Root CAs
ISRG X1	_25._tcp.each.mx.host. IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3
ISRG X2	_25._tcp.each.mx.host. IN TLSA 2 1 1 762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332
ISRG YR³	_25._tcp.each.mx.host. IN TLSA 2 1 1 7e4e8838a8add6295de7ae3b047d3aba3488ab95db0a0aa56d897a00d8618bcf
ISRG YE³	_25._tcp.each.mx.host. IN TLSA 2 1 1 b0292ae545978e0fbb98abbd94c861605e5b18bb32ed523f50d5b7b5c71d47bc

³Initially cross-signed by ISRG X1 and ISRG X2, respectively.

Of course even the above root CA TLSA records are not safe to then indefinitely ignore, the roots are also subject to occasional bitrot. Only the "3 1 1" records matching your server's public keys are under your control and change only when *you* decide to switch to new keys.

Hence, my best advice is to not play Let's Encrypt whack-a-mole, and use "3 1 1" records with stable keys (not automatically replaced with every renewal). You should choose when to rekey, and prepublish matching TLSA records before you do so. You may find danebot or similar tools helpful.

Finally, please avoid issuer TLSA records with selector Cert(0), i.e. "2 0 1" and "2 0 2". These are much more fragile, for example, some of the "E*" certificates will be issued by the RSA "X1" root, while others by the newer ECDSA "X2" root.

MX hosts with TLSA records for retired Let's Encrypt CAs

The table below lists MX hosts that are still publishing TLSA records matching the retired "X1", "X2", "X3", "X4", "R3", "R4", "E1" or "E2" CAs as well as the outdated R3 or R4 cross-certificates issued by DST. It is sorted to list hosts that serve the most domains first.

signed domains	host name
18195	mail.lima-city.de
11890	mx1.vevida.com
11887	mx2.vevida.com
11887	mx3.vevida.com
11880	mx4.vevida.com
11875	backup-mx.vevida.com
10584	mx1.simplelogin.co
10580	mx2.simplelogin.co
9701	mail.wido.info
1168	h11.mijn.host
1148	h19.mijn.host
1081	h9.mijn.host
956	h15.mijn.host
931	h18.mijn.host
906	h17.mijn.host
905	h20.mijn.host
905	h14.mijn.host
816	h3-da.mijn.host
764	h16.mijn.host
721	h8.mijn.host
650	h13.mijn.host
644	h10.mijn.host
619	h12.mijn.host
573	mail.srvfarm.net
552	h6-da.mijn.host
464	h7.mijn.host
431	h4-da.mijn.host
219	email-anywhere.nl
167	mx02.kdmails.de
167	mx01.kdmails.de
166	mx03.kdmails.de
106	spm02.cloudvoor.nl
106	s1.webhost.company
105	spm01.cloudvoor.nl
67	s3.webhost.company
66	ecn3.ecn.cz
64	h37.mijn.host
63	h40.mijn.host
62	ecn4.ecn.cz
62	h44.mijn.host
61	h43.mijn.host
54	mx1.amsterdamtech.net
54	mx2.amsterdamtech.net
53	s2.webhost.company
52	mail.netfuture.ch
51	web2.sys.ccs-baumann.de
51	web1.sys.ccs-baumann.de
51	h34.mijn.host
49	mx2.webmeneer.net
48	mx1.webmeneer.net
47	h33.mijn.host
47	mail.ncsc.de
47	h38.mijn.host
47	vps.greenbull.it
46	h39.mijn.host
46	h36.mijn.host
42	luna.soulianis.com
41	h45.mijn.host
40	h27.mijn.host
40	merlin.cutisan.dk
39	h29.mijn.host
39	h35.mijn.host
39	dus.50k30.de
38	frodo.akxnet.de
38	h48.mijn.host
37	s5.webhost.company
36	svr2.it-df.net
36	svr4.it-df.net
36	svr3.it-df.net
36	svr1.it-df.net
35	s4.webhost.company
34	thoth.cutisan.net
32	mx3.vos-systems.net
32	mx4.vos-systems.net
32	h30.mijn.host
32	mx2.vos-systems.net
30	nc.hitco.at
29	h32.mijn.host
29	mx2.ernstberger.cloud
28	mail12.imapserver.dk
28	h50.mijn.host
26	h47.mijn.host
26	h41.mijn.host
25	h52.mijn.host
25	h46.mijn.host
25	smtp3.muehlberger.net
25	h31.mijn.host
24	mailproxy.nynex.de
23	mx1.mxspamfilter.de
22	mail.raksha.ch
22	mx1.vos-systems.net
21	mx2.mchosted.nl
21	mx2.mxspamfilter.de
21	h42.mijn.host
20	in4smtp.std-service.com
20	mx2.ha-vel.cz
19	smtp.std-service.com
18	mail.sysnull.net
18	smtp.astrath.net
18	h51.mijn.host
17	mx-02.beastie.de
17	h21.mijn.host
17	mail.gadecs.com
17	mail.sig-io.nl
17	mx-01.beastie.de
17	s6.webhost.company
17	s7.webhost.company
16	mx1.vereinshosting.ch
16	h49.mijn.host
16	hosting03.spotler.net
15	artemis.strebsjig.net
15	a.mx.mb-net.net
15	d.mx.mb-net.net
15	alt3.mail.leonklingele.de
15	alt4.mail.leonklingele.de
15	b.mx.mb-net.net
15	mx2.vereinshosting.ch
15	mail.laesche.net
15	mail.leonklingele.de
15	alt1.mail.leonklingele.de
15	c.mx.mb-net.net
15	alt2.mail.leonklingele.de
14	bb-8.snakeoil.de
14	h5-da.mijn.host
14	c-3po.snakeoil.de
14	mail.laesche.eu
14	r2-d2.snakeoil.de
13	mx-13.magellanic.eu
13	mail.deady.space
13	mx-5.magellanic.eu
13	mail.ragnatela.com.br
13	mail.sciver.net
12	mx1.helioanodyne.eu
12	autonomy.gwynethllewelyn.net
12	mx.masterdeb.de
12	mail.twe.net
12	mail.raven.express
11	mailv6.davizone.at
11	mx.01x.eu
11	bl.dck.eu
11	by.dck.eu
11	mailv4.davizone.at
11	mail.matthiashille.com
11	mail.davizone.at
11	sl.dck.eu
10	huaxal.midgard-muenchen.de
10	mail.ideas-in-logic.de
10	mx1.serv-cloud.com
10	mx2.serv-cloud.com
10	mail.mydanner.de
10	lotus.huppelrecords.nl
10	norica.jaggi.info
10	mxe2.detack.de
10	mail.herenstraat.nl
10	s10.webhost.company
10	mxe1.detack.de
10	thylacine3.cfaerber.name
10	mx.uppenbrink.net
10	mail.sportvereine.online
10	mail.profidea.cz
10	hg.net2service.com
10	mail.yzal.io
9	mx3.vforge.net
9	mail.argantiu.de
9	ncars.douzer.de
9	server.mal-noh.de
9	conveyor.abstractsupports.au
9	mail.server-schwabe.de
9	lcars.douzer.de
9	transfer.abstractsupports.au
9	mx2.tlshost.net
9	dispatch.abstractsupports.au
9	mx1.vforge.net
9	mx2.vforge.net
9	emilia.zenti.cloud
8	mail.pr0.tech
8	mx2.asda.gr
8	mail.neef-media.com
8	mx1.utiku.io
8	mail.chas.se
8	h53.mijn.host
8	mail.dohd.org
8	amail.ha-vel.cz
8	mx.prozserin.org
8	mail.coldlogic.net
8	any.qu1x.one
8	mail.js86.de
8	c01.escapebox.net
8	mail.saftware.de
8	mx1.mailserver.ovh
8	blackbird.minded.net
8	mail.asda.gr
7	h54.mijn.host
7	mailbackup.d9ping.nl
7	insblauehinein.nl
7	rx-0.ch-dk-2.simpoly.ch
7	rx-0.ch-gva-2.simpoly.ch
7	mail.dadosch.de
7	meow.host.mau.fi
7	mail.vpmsite.net
7	mx2.slxh.eu
7	syndace.email
6	mail.efflam.net
6	smtp.delaat.net
6	mail.datenreisen.ch
6	mx.ojaehrling.de
6	mx2.sys.ccs-baumann.de
6	smtp.koeroo.net
6	mail.4my.page
6	ewr01.mta.mxfabric.net
6	dev.koan19.net
6	mail.blep.cz
6	mail.spookje.org
6	mx2.privatemail.dk
6	mx1.privatemail.dk
6	mail.ffct.eu
6	mx1.nerdpol.org
6	mail.qyouton.com
6	mx01.mindorf-online.de
6	smtp.softeu.cz
6	ibio.nl
6	box2.tolerantnetworks.com
6	mail.itzer.de
6	scanner.alderneyconsoles.co.uk
6	mail.evangineer.net
6	mail.w4w.de
5	mail2.brain-offload.de
5	mta02.kleckerbox.link
5	mail.majah.de
5	mail.kglobal.llc
5	mail.msk.pub
5	berta.postkuh.de
5	mail.newday.host
5	mail.martin.systems
5	mail.jedi-it.de
5	mail2.jedi-it.de
5	smtp.meekorah.net
5	mail.seelentium.de
5	mailfilter.route91.net
5	smtp.maths.network
5	mail.tdlt.ch
5	mail.twwd.de
5	mail.behindthemoon.net
5	mx1.cgnf.net
5	mail.kestrel.institute
5	mx1.darvo.nl
5	mx2.darvo.nl
5	mail.accolon.de
5	mx.hutspot.email
5	pmg.ebbs.nl
5	mailx.bhatia.eu
5	mail.lucalab.eu
5	mail.effectivemomentum.com
5	mail.leemankuiper.nl
5	mx1.urandom.ca
5	mx2.ftcz.net
5	mail.mxgateway.eu
5	mx.coldlogic.io
5	mail0.brain-offload.de
5	mail.tha-srv.eu
5	mailmib.hlrs-lamusse.net
5	postbox.idefix.net
5	mta01.kleckerbox.link
5	mx0.ipmorris.net
5	mx1.ipmorris.net
4	mx01.socotec.de
4	w1.mijn.website
4	mx.alojare.com
4	smtp.s2net.ch
4	turing.lentil.org
4	mail.lecody.com
4	gorki.wkraft.org
4	mx2.urandom.ca
4	chaos.olympe.lurenzu.org
4	mars.kerschersys.de
4	gate02.masgalor.de
4	mail.kehlenbach.net
4	mail.yobagame.com
4	mail.petabits.de
4	mail1.zillner.it
4	mail.efag.com
4	mail.frykholm.com
4	promethee.olympe.lurenzu.org
4	mail.region46.de
4	devold.4f.no
4	ouranos.olympe.lurenzu.org
4	mail.flox.org
4	mail.niclasjonsson.nu
4	gate01.masgalor.de
4	mail.geneberg.net
4	mail.binksma.de
4	ampersand.cgx.me
4	mail.birdee.at
4	mx.boxencrypt.com
4	post.keepiteasy.eu
4	sternschnuppe.bofh-noc.de
4	mail.windgucker.de
4	sw.6t-zq.com
4	mail.continens.cloud
4	mc.ulischaefer.de
4	smtp.hs-bund.de
4	mail.cyberplayer.de
4	mail.records.sh
4	mail.rkfomh.net
4	mx1.riseup.net
4	mail.niklas-abel.de
4	mail.abdene.dk
4	mail.wilzbach.net
4	mail.lampenlurch.de
4	mail.valek.net
3	courriel2.nomagic.fr
3	vmail1.greenie.net
3	border.ab2b.ru
3	carp-20.krvtz.net
3	mail.szolgaltato.ovh
3	mx.squareip.nl
3	mail.factotum.ovh
3	rhuarc.aybara.org
3	mail.inchin.ch
3	mail.ornago.de
3	mail.weiliangchang.com
3	arrakeen.geekwu.org
3	h28.mijn.host
3	post.clemenshermanns.de
3	mail.yellenge.nl
3	mx-01.blueshift.nl
3	mx3.alotof.it
3	mx2.alotof.it
3	mail.cotsworth.com
3	smtp1.scheler.com
3	smtp.lightnet.dev
3	m41l3r.webfoersterei.de
3	promethee.ipv6.olympe.lurenzu.org
3	ouranos.ipv6.olympe.lurenzu.org
3	chaos.ipv6.olympe.lurenzu.org
3	mail.metropolis.nexus
3	mail.teqt.de
3	prod-demo000.zivver.net
3	ionos.wcclan.net
3	useast.colincogle.name
3	eu.colincogle.name
3	estragon.turmann.net
3	tau-ceti-center.theflyingbear.net
3	mail.dermichi.com
3	de1.colincogle.name
3	hyperion.theflyingbear.net
3	mta.wasteland.co
3	mail.holler.contact
3	mail.tassoni.net
3	mail.swiss-link.net
3	mail.liesmeine.email
3	mail.medien-selber-machen.de
3	tim.mdewendt.de
3	martin.mdewendt.de
3	mali.rattenkot.io
3	mx0.d7031.de
3	hermes.clemenshermanns.eu
3	mail.smart-tux.de
3	ben.mdewendt.de
3	eclipse.servonline.de
3	mail.odwulf.net
3	mx.rzrd.de
3	mail.rootonline.de
3	mail.jmedia-services.de
3	mail2.alanwest.com
3	mx1.ext.ernal.net
3	mail.esajokinen.net
3	node2.projektzentrisch.de
3	mail.goik.de
3	node1.projektzentrisch.de
3	mx1.d7031.de
3	mail.fam-schuetzer.de
3	mx2.alojare.com
3	jonaswitmer.ch
3	mx.liguros.net
3	mail-proxyin-1.elfix.sk
3	mail2.sheridanwest.com
3	smtp.bezdeka.de
3	mail.fuenfer.net
3	mail.netfreax.de
3	mail-02.own-mail.eu
3	mail.mirtouf.fr
3	courriel1.nomagic.fr
3	smtp2.scheler.com
2	mx.fibianet.dk
2	mail1.kdv-fh-bayern.de
2	mail2.kdv-fh-bayern.de
2	mail.ednodarvo.io
2	mail.gryffyn.io
2	mail.kump.io
2	mail.mischke.it
2	sif.ruetti13.ch
2	mail.ls-srv.de
2	mail.manima.de
2	berlin.mdewendt.de
2	mail.h2o.moe
2	server.mhnnet.de
2	lima.ahrain.net
2	mail.ahrain.net
2	node1.muam.de
2	almeli01.aneirin.net
2	lb.aneirin.net
2	node2.muam.de
2	venus.br-hq.net
2	node1.mucn.de
2	node2.mucn.de
2	mail.chao5.net
2	mail2.chao5.net
2	carrot.debelio.net
2	mail2.myocastor.de
2	arsenic.violacea.com
2	mail.kaamoscreations.com
2	mx.atmediamail.com
2	mail.nsb-software.de
2	theos.kyriasis.com
2	mail.laponders.com
2	mail.pfoteplus.de
2	mail.plaggemeier.de
2	mail.prauscher.de
2	sheldon.prauscher.de
2	redstonesucht.de
2	mail.reulitz.de
2	charlie.my1p.net
2	smtp.lhsaa.com
2	mail.skriniar.de
2	nro-apps-2.ripe.net
2	mail.rootsland.net
2	oniz.s-up.net
2	mail.sajat.net
2	mail2.sheridanwest.net
2	mail.simtrami.net
2	mail.systemuser.de
2	s8.webhost.company
2	s9.webhost.company
2	mail2.theflyingbear.net
2	mx.techthisout.de
2	mail.vandoormalen.net
2	smtp.virteck.net
2	mail1.balgoo.com
2	mail.tempcup.de
2	mx1.mailboxme.com
2	mx2.mailboxme.com
2	mail.vantriel-networks.de
2	xenon.blue-neutrino.com
2	mail.funk.bz
2	christophfink.com
2	mail.zoopnet.de
2	mx01.millharrow.com
2	failmail.dev
2	mail.firstbyte.dev
2	mail.ptv.cz
2	mx02.millharrow.com
2	mx.lecs.dev
2	schmidl.dev
2	mail.meinefamilie.digital
2	mail.hyperscal.ing
2	mit.visviva.dk
2	mail.z7.dk
2	smtp.digiware.nl
2	enos.riigikogu.ee
2	ns.riigikogu.ee
2	mail.alohastitch.de
2	knight.blue
2	albigro.eu
2	mail.flox.eu
2	mail.giblet.eu
2	mail.jordanmlu.nl
2	mail2.jordanmlu.nl
2	www.bedios.de
2	mxe1.joris2k.nl
2	mail.little-brother.eu
2	mail.dk.tajniak.cloud
2	smtp01.mosdata.nl
2	smtp02.mosdata.nl
2	mail.bgdesign.de
2	smtp.bgdesign.de
2	smtp.boeren.de
2	mail.pleijster.nl
2	mail.bs0x539.de
2	srv1.estroh.com
2	mail.tuxlinux.eu
2	mail1.theyosh.nl
2	mail2.theyosh.nl
2	mx1.u-n.nl
2	mail.cmouse.fi
2	metso.hack.fi
2	100110.fr
2	cedar-gateway.albertlarsan.fr
2	grid.webcon.ca
2	bloodsugar.stoeckl.online
2	smtp.dasuku.de
2	mailman.dataharbour.de
2	mail.xgenie.co
2	mx.42.net.eu.org
2	mail.fessel.org
2	gietl.com
2	pmg.koehlerweb.org
2	mx.glanetec.com
2	mx02.rechtundordnung.org
2	coruna.trasno.org
2	ocean.trasno.org
2	mail.bikerboy.ovh
2	mail.razor.ovh
2	mail.afk.pm
2	mail.marques.pub
2	mail.inty.se
2	mupp.mupps.se
2	mail.fortmail.de
2	sv2.silival.com
2	mail.sovichetra.com
2	mail.genano.de
2	in2smtp.std-service.com
2	mail.grenz-bonn.de
2	smx001.mao.systems
2	smx002.mao.systems
2	duyan.tech
2	mail.hjallr.com
2	mail.tok3n.com
2	mail.itspattison.de
2	mx.jgosmann.de
2	mx.jitsi-meet.de
2	mailstore.ab-data.us
2	terraba.impulsahosting.com
2	mail.joniw.de
2	serdica.jaggi.info
2	mail.jtebruegge.de
2	mail.kdv-fh-bayern.de
2	mx.scne.xyz
1	mail.dekkerklimaattechniek.nl
1	mail.dekunstquak.nl
1	mx.deskunde.nl
1	mail.detjonger.nl
1	mail.devonkentrekker.nl
1	mail.diamondorchid.nl
1	mail.dick-tegel.nl
1	mail.didactexact.nl
1	mail.dieseltreinen.nl
1	mail.digi-na.nl
1	mail.digimortals.nl
1	vpn.digiware.nl
1	mail.dosba.nl
1	mail.drone-movies.nl
1	mail.dutchbreeding.nl
1	mail.e-bikevakanties.nl
1	mail.edwingroenvastgoed.nl
1	mail.eendenmuseum.nl
1	mail.fietscentre.nl
1	mail.fietsshoppingcenter.nl
1	mail.fietsshoppingcentre.nl
1	mail.fijnstofbestrijding.nl
1	mail.freetimeict.nl
1	mail.gentle-release.nl
1	greppie.nl
1	mail.gwbeheergooi.nl
1	hackabit.nl
1	mail.horseshoetravel.nl
1	mail.hotobandencentrum.nl
1	mail.hugogirls.nl
1	www-proxy2.hz.nl
1	mail.ikmailmetzorg.nl
1	mail.ikmailveilig.nl
1	mail.ikmailvertrouwd.nl
1	mail.in-deco.nl
1	mail.int18.nl
1	isatiscybersecurity.nl
1	mail.johannesmeyers.nl
1	mail.jonklaus.nl
1	mail3.jordanmlu.nl
1	mail.jtdevos.nl
1	mail.kwekerijplak.nl
1	mail.laponders.nl
1	mail.limoamsterdamairport.nl
1	lingerent.nl
1	mail.mariamoria.nl
1	mjtverhoef.nl
1	mail.mrdavy.nl
1	mymails.nl
1	mail.narrowcastingbysmash.nl
1	mail.netwerk-profs.nl
1	mail.nijkit.nl
1	mail.nnotw.nl
1	mail.oetlul.nl
1	mail.onuferova.nl
1	mail.patrickkas.nl
1	mail.poephoofd.nl
1	mail.prelution.nl
1	mail.router-profs.nl
1	mail.rutger.nl
1	mail.sbpg.nl
1	mail.scpocahontas.nl
1	mail.smash-cb.nl
1	mail.smashcb.nl
1	mail.spraycannon.nl
1	mail.stofbeheersing.nl
1	mail.the-mbgroup.nl
1	mail.theyosh.nl
1	mail3.theyosh.nl
1	mail.tswestendorp.nl
1	mail.ubiquiti-profs.nl
1	mail.unifi-profs.nl
1	mail.wifi-profs.nl
1	vps02.woudenbergh.nl
1	mail.xs2net.nl
1	ulrika.berget.nu
1	email.itn.nu
1	mailone.security.kiwi.nz
1	mail.mingxu.one
1	mx.sportvereine.online
1	mx.stoeckl.online
1	mx6.stoeckl.online
1	smtp1.23ro.org
1	1319.agency
1	adblockextreme.org
1	mail.alolise.org
1	yuno.antopie.org
1	mail1.apahlevan.org
1	mail2.apahlevan.org
1	mail.asprion.org
1	nynaeve.aybara.org
1	mail-gw.chabrols.org
1	mail.dreamradio.org
1	mail.easternpromises.org
1	mail.ecological-awakening.org
1	mail.akerman.eu.org
1	melusine.eu.org
1	cumin.exim.org
1	mail.gentoo.org
1	mail.gkbs.org
1	mx.jaehrling.org
1	jsonprice.org
1	lapetiteimprimerie.org
1	mail.lapetiteimprimerie.org
1	mail.lascuolaopensource.org
1	mail.linuxmg.org
1	mail.ludek.org
1	mail.luhrman.org
1	he-stal-mail.maulay.org
1	maild.maulay.org
1	mail.mdevries.org
1	mail.mosdev.org
1	mail.noema.org
1	mail1.noema.org
1	mail.nujub.org
1	mail.papy-team.org
1	mail.plasticmasonry.org
1	mail.plevenlab.org
1	mail.pngu.org
1	mx.qsdf.org
1	pork.recoil.org
1	mail.sebi.org
1	pi.sebi.org
1	backupmx.smartsailing.org
1	mail.smartsailing.org
1	mail.ultracoder.org
1	mail.wissenschafftfreiheit.org
1	mail.wissenschaftfreiheit.org
1	mail.wtmux.org
1	koukan.ovh
1	rinze.page
1	stalwart.tram.pics
1	mail1.zakreconysloik.com.pl
1	mail2.zakreconysloik.com.pl
1	mx.fly.edu.pl
1	mail1.marszalkowscy.pl
1	mail2.marszalkowscy.pl
1	mx.teslamed.pl
1	smtp1.marques.pub
1	smtp2.marques.pub
1	0g.re
1	core0.blacklight.re
1	mail.pasion.ro
1	mail.kodalynx.rocks
1	mail.mdma.rocks
1	mail.my-cloud.rocks
1	mail.itnet33.ru
1	mail.narius.ru
1	mail2.coffes.se
1	flisanetwork.se
1	mail.karlmarten.se
1	nikesec.se
1	mail.silenda.se
1	mail.cs.umu.se
1	mx2.serv.site
1	mail.lumina.software
1	email.sorriaux.software
1	mail.benni.space
1	mail.darksector.space
1	mx1.kuhmunity.space
1	mijndomein.space
1	mail.syr333x.space
1	mail.lolicon.store
1	anzu.lian.su
1	ixtar.diath.systems
1	mail.kooperation.team
1	expressio.tech
1	mx.r2w.tech
1	mail1.jan.tm
1	boettger.top
1	mail.imrozrum.k12.tr
1	mail.rewiredminds.trade
1	mail.azerov.tv
1	mail.juniperchick.co.uk
1	mail.martiniclub.co.uk
1	mail.sanctus.co.uk
1	fogbox.uk
1	mail.juniperchick.uk
1	sarahlicity.me.uk
1	mail.incognito.org.uk
1	mail.domic.us
1	harad.mathom.us
1	osgiliath.mathom.us
1	mail.darkrage.vip
1	m.stefan.wf
1	bpnet.work
1	mail.737900.xyz
1	mail.alucryd.xyz
1	mail.d99.xyz
1	mail.elarvee.xyz
1	one.mx.ltgt.xyz
1	two.mx.ltgt.xyz
1	mail.pocki.xyz
1	mail.pomazan.xyz
1	mail.8623.org
1	mail.golia.ai
1	mail.edutrail.app
1	mail.ravue.app
1	mail.kolmann.at
1	mx01.skyforge.at
1	yu.xendynastie.at
1	3t.au
1	mail.infohost.net.au
1	birdsonghouse.be
1	emailus.be
1	mail.emergamus.be
1	glasgestaltung.biz
1	mail.leandrojacomelli.com.br
1	mail.uranux.com.br
1	mail.ler.cordeiro.nom.br
1	omail.ler.cordeiro.nom.br
1	mail.botero.ca
1	mail.brinton.ca
1	mail1.french-collection.ca
1	mail2.french-collection.ca
1	mail.pyroman.ca
1	mail.nekomimi.cafe
1	mail.versa.casa
1	acay.cc
1	mail.carnot.cc
1	mail.interpost.cc
1	smtp.kfsys.cc
1	mx.ololo.cc
1	mail.brink.center
1	mail.n0tn.cfd
1	mail.blackpool-music.ch
1	mx.blossome.ch
1	mail.fritixsport.ch
1	mail.froschba.ch
1	mail.joergi.ch
1	mail.kadenba.ch
1	mail21.ch
1	mail.nuvon.ch
1	pu.s2net.ch
1	mail.fpma.church
1	mail2.alanwest.cloud
1	mail.alejandria.cloud
1	mx.demi.cloud
1	mx2.demi.cloud
1	mail.mcwhorter.cloud
1	mail.schaenzer.cloud
1	mx.siebel.cloud
1	gaia.xorinzor.cloud
1	mail.behinderten.club
1	mail.heinzelmann.co
1	mail.sunsun.co
1	mail.zamow.co
1	mail.raatz.cologne
1	adblockextreme.com
1	mail.albertochung.com
1	mail.annemarielaponder.com
1	mail.astralus.com
1	mx.atmediallc.com
1	mail.atmediamail.com
1	mail.axonfibre.com
1	mx1.azumail.com
1	mx2.azumail.com
1	mail.bananasareyellow.com
1	mail.bdayprob.com
1	mail.bluuurgh.com
1	mail.bravelychoc.com
1	smtp.carlgo11.com
1	mail.centraltexashosting.com
1	mail.cryptobauer.com
1	mail.cukrinelape.com
1	melisandre.darkspacelab.com
1	mx2.dermichi.com
1	mail.disgruntledcode.com
1	mail2.disgruntledcode.com
1	mail.dzenanjupic.com
1	mail.eleith.com
1	mx1.emailaudit.com
1	mx2.emailaudit.com
1	mail.evroclabs.com
1	mail.experiencetherave.com
1	mail.facubo.com
1	servidor.fernandescontabilidade.com
1	flisanetwork.com
1	mail.fliwind.com
1	mail.frankmeise.com
1	mail.glotejersey.com
1	mail.goleadboxer.com
1	mail.goowiz.com
1	mx.hackedstack.com
1	mail.hohenloher-molkerei.com
1	mail.hs-rent.com
1	post-office.iamhansen.com
1	mail.infoarx.com
1	mail.ipraft.com
1	mail.jhammah.com
1	mail.joinleadboxer.com
1	mail.juniperchick.com
1	mail.kostalli.com
1	mail.leadboxerteam.com
1	mail.liverado.com
1	looosid.com
1	mailbawks.com
1	mail.mailsuperstack.com
1	mail.malikussaid.com
1	mail2.malikussaid.com
1	mx.mandjes.com
1	mail.marbellawebs.com
1	mail.martinfolta.com
1	mail.martiniclubuk.com
1	smtp.mastarin.com
1	mail.mifsh.com
1	mx-01.nakene.com
1	mail.neilcookson.com
1	neverwasinparis.com
1	mail.nexaknight.com
1	mail.nissyroshotel.com
1	smtp.nissyroshotel.com
1	mail.no-spam-ever.com
1	mail.nos-mail.com
1	nudante.com
1	mail.openimb.com
1	mail.outersterp.com
1	mail.pmphan.com
1	email.pradarp.com
1	mail.prepanesthesia.com
1	mail.primaudialrecords.com
1	mail.privjaac.com
1	mx.pubmx.com
1	mail.pyxsd.com
1	mail.raisemya1c.com
1	mail.randomdood.com
1	ryanrichardwalker.com
1	mail.saleminejad.com
1	mta1.salesmtp.com
1	mxa.secumailer.com
1	mail.serandp.com
1	silicomail.com
1	mail.sorenstudios.com
1	smtp4out.std-service.com
1	mail.sunsungems.com
1	mail.sunsunjewelry.com
1	mail.theedgeofrage.com
1	mail.towaanu.com
1	mail.trangthan.com
1	mail.tryleadboxer.com
1	ugxdev.ugx-mods.com
1	ugxprod.ugx-mods.com
1	mail.uniseekai.com
1	vps.vanmelick.com
1	mail.vatozsoftware.com
1	verkleedje.com
1	vip5.vip-vmail.com
1	mail.visfabriek.com
1	mail.wellnessbudget.com
1	mail.worldmartiniday.com
1	mx.xelerance.com
1	mail.xenocara.com
1	mail.zz-lab.com
1	3afm.company
1	mail.3afm.company
1	smtp.ecn.cz
1	mail.encrypton.cz
1	mail.enkrypton.cz
1	mail.folfi.cz
1	mail.ivusn.cz
1	mail.kapi.cz
1	mail.magdi.cz
1	mail.magdis.cz
1	mail.misanci.cz
1	mail.nfcobchod.cz
1	mail.nfcshop.cz
1	mail.pragoperun.cz
1	mail.pred-objektivem.cz
1	mail.predobjektivem.cz
1	mail.relatix.cz
1	skorpil.cz
1	atlantis.skorpil.cz
1	mail.videoznelka.cz
1	mail.videoznelky.cz
1	mail.vohr.cz
1	mail.2of16.de
1	77177.de
1	acc-host.accordimento.de
1	mail.alleshierrein.de
1	mail2.andreas-lemcke.de
1	mx5.andreas-lemcke.de
1	mail.azerov.de
1	mx.bemmy.de
1	mx2.bemmy.de
1	mx.benny.de
1	mail.bluefrost.de
1	mx02.cbok.de
1	mail.chocobos.de
1	mail.christopherfuchs.de
1	mailbackup.christopherfuchs.de
1	mail.clouddrop.de
1	mail.copternow.de
1	mx5.cotter.de
1	mail.cpfroehlich.de
1	mail.datnshuz.de
1	hamilton.deprecate.de
1	mx.devtig.de
1	mta0.digital-attic.de
1	mail.dreiecksbadehose.de
1	mail.duesseldorferboys.de
1	smtp.einwegkunststofffonds.de
1	ej-uttenreuth.de
1	smtp.ewk-test.de
1	host.f-sulzmann.de
1	mx5.fun-adventure.de
1	mail.gamerangerz.de
1	mail.ganneff.de
1	mx01.gcsfb.de
1	mail.generalxz1.de
1	mail.gompf.de
1	mail.heinzelmann-it.de
1	mail.heitepriem.de
1	mail.hu-si.de
1	mail2.hu-si.de
1	mail.in42.de
1	mx01.ipv6help.de
1	mail.ivory.de
1	mx.janisluenne.de
1	mail.jnhmn.de
1	jo-so.de
1	mail.jobei.de
1	mailz.khbarth.de
1	mx5.kleinerfalter.de
1	mail.landarzthelden.de
1	mail.lpcom.de
1	mail.matthias-bergt.de
1	mail.metalabs.de
1	linux02.mk25.de
1	server2.muellenbach-cloud.de
1	mail.mueller-benedikt.de
1	mx1.mxservices.de
1	mail.nerdbase.de
1	nicoschlegel.de
1	mail.nilskeller.de
1	nolte-thomas.de
1	ojaehrling.de
1	mail.onlain.de
1	mail.pointjig.de
1	mail.projekt-pusztahunde.de
1	mail.reinholdalerbon.de
1	mx.rewt.de
1	mail.samundsarah.de
1	mx5.saselit.de
1	mail5.scharwaechter-reinbek.de
1	mail.sgftv-ginnheim.de
1	mx.sgftv-ginnheim.de
1	slave003.shsh.de
1	mx.siedlung.de
1	mail145.server.simon-mueller.de
1	comail1.smurb.de
1	mail.solsector.de
1	mail.taitanuit.de
1	gindelmer.tangoz.de
1	eipi1.tbahn.de
1	femur.tbahn.de
1	mail.tbz-pariv.de
1	mail2.tbz-pariv.de
1	mail.telgkamp.de
1	mail.terrab.de
1	mail.timo-hohmann.de
1	mail.tincloud.de
1	mail2.tincloud.de
1	mx5.tollemenschen.de
1	mail.ttmab.de
1	mail.voltavision.de
1	mx5.wingsturlaub.de
1	yq5.de
1	mail.ywq.de
1	testing.ywq.de
1	mail.yyweb.de
1	mail.zcc-gaming.de
1	mail.zeyrox.de
1	mail.anikiforov.dev
1	mail.goodgirl.dev
1	mail.jacksn.dev
1	mx.karilaa.dev
1	mail.kunet.dev
1	mail.mendox.dev
1	mail.node9.dev
1	mx.polyas.dev
1	mail.sobotics.dev
1	mail.styl.dev
1	agentoft.dk
1	mail.jinpha.dk
1	mail.sprange.dk
1	mail.kestrel.edu
1	mail.h5b.email
1	mx.storage.engineering
1	mail.jeserga.es
1	mail.limpiamur.es
1	mail.2dos.eu
1	mail.encrypton.eu
1	mail.enkrypton.eu
1	ipct.eu
1	jivie.eu
1	klein.eu
1	mail.libraoptima.eu
1	mail.magdis.eu
1	mail.martinfolta.eu
1	mail.misanci.eu
1	smtp.mybotti.eu
1	mail.nfcobchod.eu
1	mail.nobugz.eu
1	oessi.eu
1	hbdx.okazoo.eu
1	yop24.okazoo.eu
1	mail.ouinouin.eu
1	mail.schachverein-fideler-bauer.eu
1	mail.subse.eu
1	mail.tincloud.eu
1	mail2.tincloud.eu
1	mail.trag0z.eu
1	mail.virtlinux.eu
1	mail.zlorp.eu
1	mail.pascher.family
1	mail.thewilley.family
1	test.farm
1	mail.nopanen.fi
1	vmp.nopanen.fi
1	zen.slf.fish
1	mail1.appcollaboratif.fr
1	mail.azlakabam.fr
1	mail.berniques.fr
1	mail.bois-terre-paille.fr
1	mail.brit-hotel-fumel.fr
1	c2.coact.fr
1	mail.gasdev.fr
1	mail.geomatys.fr
1	mail.grngr.fr
1	mail.cloud.hadser.fr
1	perrin87.fr
1	mail.perrin87.fr
1	smtp.picordi.fr
1	smtp.savioz.fr
1	selmai.fr
1	mail.test-domaine.fr
1	hermes.vendredicorp.fr
1	mail.voyelle-co.fr
1	mail.informatika.fun
1	blex.gay
1	mail.malik.holdings
1	mail2.malik.holdings
1	mail.itsg.host
1	mail.ai4science.hu
1	mail.serail.biz.id
1	mail2.serail.biz.id
1	mail.lele.co.id
1	mail2.lele.co.id
1	mail.sil.co.id
1	mail2.sil.co.id
1	mail.malik.id
1	mail2.malik.id
1	mail.malikussa.id
1	mail2.malikussa.id
1	mail.malik.my.id
1	mail2.malik.my.id
1	mail.malikussaid.my.id
1	mail2.malikussaid.my.id
1	mail.said.my.id
1	mail2.said.my.id
1	mail.said.id
1	mail2.said.id
1	mail.malik.web.id
1	mail2.malik.web.id
1	mail.malikussaid.web.id
1	mail2.malikussaid.web.id
1	mail.mhi.web.id
1	mail2.mhi.web.id
1	mail.said.web.id
1	mail2.said.web.id
1	vps.jell.ie
1	46e163cb479e.deepkn.in
1	mail.oosten.in
1	mail.heitepriem.info
1	kuhlmey.info
1	mail.pinched.info
1	mail.potters.info
1	mx1.sdeziel.info
1	mail.treyturner.info
1	mail.trunz.info
1	mail.1price.io
1	mx.bdev.io
1	alcamilo.dedyn.io
1	mail.portman.io
1	mail.savioconsulting.io
1	mail.slnet.io
1	mail.tommytran.io
1	mail.vall.is
1	mx1.alotof.it
1	bmx.mischke.it
1	mail.pit-stop.it
1	xn--ku8h.xn--0ci.je
1	mail.rax.la
1	mail.amstutz.li
1	mail.mouff.li
1	mail.manager24.live
1	mail.cgnn.me
1	mail.evran.me
1	mail.jeserga.me
1	mail.kroeb.me
1	mail.mnunes.me
1	mail.nuerk.me
1	mx1.okashi.me
1	smtp.shelton.me
1	mail.wum.me
1	mail.animeteamspeak.moe
1	mail.heck.moe
1	hollow.moe
1	mail.klbr.mom
1	mail.klein.mx
1	adblockextreme.net
1	smtp.aeon-hq.net
1	mail.alerbon.net
1	b767.net
1	axiom.breakingthe.net
1	c4f3.net
1	codingupsolutions.net
1	mxsrv.cubixor.net
1	kurier.dasreich.net
1	m1.dymstro.net
1	server.eightyfive.net
1	mail.eldant.net
1	frontend.mail.faelix.net
1	secondary.mail.faelix.net
1	secure.mail.faelix.net
1	pieterpost.gigawebs.net
1	mail.goppold.net
1	mail2.goppold.net
1	smtp.hoerst.net
1	mail.intaa.net
1	mx.iomaestro.net
1	mail1.jduprat.net
1	mail2.jduprat.net
1	ananke.jermann.net
1	mail.juniperchick.net
1	mail.kafemarat.net
1	mail.karkand.net
1	mail.klein-it.net
1	vps1.kobezda.net
1	mail.koeroo.net
1	mail.lbcfree.net
1	smtp.lbcfree.net
1	mail.macip.net
1	mx1.mailie.net
1	mx2.mailie.net
1	mail.martinfolta.net
1	alpha.mcdeed.net
1	gamma.mcdeed.net
1	mail.mehrzad.net
1	smtp.miltonroad.net
1	skippy.nahmias.net
1	mail.netpixeldesign.net
1	mail.nurevolution.net
1	oumlaut.net
1	mail.oumlaut.net
1	ozgurgokmen.net
1	mail.ozgurgokmen.net
1	tocharian.pniedzielski.net
1	mx1.post360.net
1	mx2.post360.net
1	mx.privacymail.net
1	mail.progr.net
1	stalwart.raup.net
1	mail.rehaag.net
1	mx5.reischauer.net
1	enog-apps-2.ripe.net
1	mail-mx-1.ripe.net
1	mail-mx-2.ripe.net
1	emx-01.rmd-logistics.net
1	mail.scholz-da.net
1	mail.shinyshoe.net
1	mail.skyonesg.net
1	testserver.smartrns.net
1	mail.spookyless.net
1	mail.svizac.net
1	mail.tawilliams.net
1	mail1.teiteia.net
1	mail2.teiteia.net
1	mail.thaiminh.net
1	mail.topophile.net
1	mail.uptheinter.net
1	mail.whamclinics.net
1	mx1.worlddab.net
1	mail.fibretel.network
1	mail.072hypotheken.nl
1	mail.12342444.nl
1	mail.3d-concurrent.nl
1	mail.4p-nh.nl
1	mail.4p-telecom.nl
1	mail.4pit.nl
1	mail.4psolutions.nl
1	mail.4ptelecom-en-it.nl
1	mail.4x4-experience.nl
1	mail.aangiftebelastingen.nl
1	mail.aannemersbedrijfcjentius.nl
1	mail.aannemersbedrijfentius.nl
1	mail.aarsleffbv.nl
1	mail.abbaweb.nl
1	mail.abusereportertool.nl
1	mail.accountantkatwijk.nl
1	mail.accountantsantpoort.nl
1	mail.accountantschagen.nl
1	mail.achive.nl
1	mail.airluxairco.nl
1	annemarielaponder.nl
1	mail.autoschilder.nl
1	mail.bandenwasser.nl
1	mail.beukenhoeve.nl
1	mx2.biorit.nl
1	mail.boerskashandelsonderneming.nl
1	mail.broodfondshofvantwente.nl
1	mail.camerabeveiliging-profs.nl
1	mail.cloudvoorsecurity.nl
1	mail.contactdenoord.nl
1	kirkman.corstiaanhol.nl
1	mail.croatiangrapes.nl
1	mail.croatianwineambassador.nl
1	mail.dansbelang.nl
1	mail.daviddam.nl
1	mx1.dco.nl
1	mail.dekerkvantoen.nl
1	mail.dekinderafdeling.nl

Provisioning DANE-TA(2) TLSA records for Let's Encrypt CAs.

TLSA records for root CAs

MX hosts with TLSA records for retired Let's Encrypt CAs