Provisioning DANE-TA(2) TLSA records for Let's Encrypt CAs.

Some mail servers (MX hosts) have associated TLSA records with certificate usage 2 (DANE-TA) that match one of the retired Let's Encrypt issuer CAs. The retired CAs include:

All certificates issued by the "X1", "X2", "X3" and "X4" intermediate issuing CAs to DANE MX hosts have long ago expired. As of 2024-09-03, so have those issued by the "R3", "R4", "E1" or "E2" issuing CAs.

When you do publish TLSA records matching a Let's Encrypt issuing CA, make sure to publish the full set of records for ALL the related CAs:

All Let's Encrypt users publishing DANE-TA(2) TLSA records need to update their TLSA records to publish records that match the intermediate issuer CAs that issued their current certificate and to pre-publish records for upcoming CAs if the current issuer is no longer active.

If your server's private and public keys are RSA keys, you can publish TLSA records matching just the "R*" CA public keys, and with ECDSA keys, just the "E*" CA public keys. If your server has both RSA and ECDSA keys, you'll need to publish TLSA records matching both the "R*" and "E*" issuer CAs. You can't rely on certificate renewal always using the same intermediate CA as before, or that the backup issuers might not be used instead. Therefore, list all "R*" and/or "E*" records. See the tables below for details.

Thus, SMTP server operators using DANE-TA(2) with Let's Encrypt certificates must publish the applicable groups of TLSA records from the below (possibly in addition to "3 1 1" records matching the server public key) for each of their MX hosts in order to prevent delivery failures.

CA tagActive RSA issuer CAs
R10_25._tcp.each.mx.host. IN TLSA 2 1 1 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba
R11_25._tcp.each.mx.host. IN TLSA 2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7
R12_25._tcp.each.mx.host. IN TLSA 2 1 1 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4
R13_25._tcp.each.mx.host. IN TLSA 2 1 1 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d
R14_25._tcp.each.mx.host. IN TLSA 2 1 1 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888
CA tagActive ECDSA issuer CAs
E5_25._tcp.each.mx.host. IN TLSA 2 1 1 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8
E6_25._tcp.each.mx.host. IN TLSA 2 1 1 d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7
E7_25._tcp.each.mx.host. IN TLSA 2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75
E8_25._tcp.each.mx.host. IN TLSA 2 1 1 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5
E9_25._tcp.each.mx.host. IN TLSA 2 1 1 f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2

Any other "2 1 1" records that were once associated with Let's Encrypt SHOULD NOT be used. They can't possibly match an unexpired certificate, and are just bloat in DNS TLSA lookup results, and an unnecessary security risk (if the obsolete keys are compromised). These include:

CA tagRetired issuer CAs to avoid
X1/X3_25._tcp.each.mx.host. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
X2/X4_25._tcp.each.mx.host. IN TLSA 2 1 1 b111dd8a1c2091a89bd4fd60c57f0716cce50feeff8137cdbee0326e02cf362b
R3_25._tcp.each.mx.host. IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
R4_25._tcp.each.mx.host. IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
E1_25._tcp.each.mx.host. IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
E2_25._tcp.each.mx.host. IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270

For the Let's Encrypt CAs, please also avoid all TLSA parameter combinations other than "2 1 1", with an associated SHA2-256 digest of the CA public key (not the full certificate).

MX hosts whose TLSA records include only inactive CA key digests are no longer able to receive email from sending systems that perform DANE validation.

TLSA records for root CAs

With a bit of care, one can instead publish TLSA records matching one of the "ISRG X1" or "ISRG X2" root CAs, but one then has to carefully ensure that the root CA certificates are appended to the server's chain file (not the case with chain files produced by, e.g., certbot), so the ACME chain file may require post-processing before it is configured as the MTA's certificate chain. The root CA public key hashes are:

CA tagISRG Root CAs
ISRG X1_25._tcp.each.mx.host. IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3
ISRG X2_25._tcp.each.mx.host. IN TLSA 2 1 1 762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332

Of course even the above root CA TLSA records are not safe to then indefinitely ignore, the roots are also subject to occasional bitrot. Only the "3 1 1" records matching your server's public keys are under your control and change only when *you* decide to switch to new keys.

Hence, my best advice is to not play Let's Encrypt whack-a-mole, and use "3 1 1" records with stable keys (not automatically replaced with every renewal). You should choose when to rekey, and prepublish matching TLSA records before you do so. You may find danebot or similar tools helpful.

Finally, please avoid issuer TLSA records with selector Cert(0), i.e. "2 0 1" and "2 0 2". These are much more fragile, for example, some of the "E*" certificates will be issued by the RSA "X1" root, while others by the newer ECDSA "X2" root.

MX hosts with TLSA records for retired Let's Encrypt CAs

The table below lists MX hosts that are still publishing TLSA records matching the retired "X1", "X2", "X3", "X4", "R3", "R4", "E1" or "E2" CAs as well as the outdated R3 or R4 cross-certificates issued by DST. It is sorted to list hosts that serve the most domains first.

signed domainshost name
15263mx1.vevida.com
15259mx2.vevida.com
15259mx3.vevida.com
15251mx4.vevida.com
15247backup-mx.vevida.com
9926mail.wido.info
8213mx1.simplelogin.co
8207mx2.simplelogin.co
579mail.srvfarm.net
242smtp1.protagio.nl
242smtp2.protagio.nl
66polina.gro.momou.ch
66polina.lan11.momou.ch
64polina.duc.momou.ch
61mail.tmkis.com
57ecn3.ecn.cz
55mail.netfuture.ch
55mx2.amsterdamtech.net
52ecn4.ecn.cz
36merlin.cutisan.dk
33mail.drk-rhn.de
33mx2.ernstberger.cloud
29mail.machineitservices.com
28hosting01.spotler.net
22mx1.mxspamfilter.de
21altair.ne2000.nl
21mx2.mxspamfilter.de
21castor.ne2000.nl
21smtp.muehlberger.net
20in4smtp.std-service.com
19mx2.mchosted.nl
19smtp.std-service.com
19web1.sys.ccs-baumann.de
19web2.sys.ccs-baumann.de
18smtp.astrath.net
17mx1.lspd.net
17hosting03.spotler.net
15artemis.strebsjig.net
14lightning.heliumnet.nl
14mailcow.wewitro.net
14hailstone.heliumnet.nl
14mail-ec2.moving-target.info
13caladan.freestone.net
13mx02.o-o-s.de
12autonomy.gwynethllewelyn.net
11mx.01x.eu
11mail.twe.net
11lcars.douzer.de
11mx.spodhuis.org
11hg.net2service.com
11ncars.douzer.de
11mail.raven.express
10mail.herenstraat.nl
10mail.ideas-in-logic.de
10mx3.vforge.net
10mx2.vforge.net
10mail.sportvereine.online
10mx1.vforge.net
9dispatch.abstractsupports.au
9mail.chas.se
9mail.argantiu.de
9mail.js86.de
9transfer.abstractsupports.au
9mail.yzal.io
9mail.jeatranslations.nl
9conveyor.abstractsupports.au
8mx1.mailserver.ovh
8hitch.fr
8any.qu1x.one
7mail.jth.net
7ibio.nl
7mail.evangineer.net
7cloud.michaonline.net
7mail.asda.gr
7mx2.asda.gr
7ra.horus-it.com
7server.ist-immer-online.de
7mailgw.itsecf.de
7mail.neef-media.com
7mail.d9ping.nl
7mailbackup.d9ping.nl
6mail.w4w.de
6mx.squareip.nl
6mail.kurim.de
6insblauehinein.nl
6mx01.mindorf-online.de
6smtp-in.goedel.dlitz.net
6dev.koan19.net
6mail.spookje.org
6mail.aegrel.ee
6mail.schem.me
6mail.connies-diner.de
6mx2.lspd.net
6eurekamaru.vrhein.de
6mail.ffct.eu
6smtp.koeroo.net
5applejack.mvld.eu
5mx1.nerdpol.org
5box2.tolerantnetworks.com
5mx1.darvo.nl
5mail.mxgateway.eu
5mx1.ironie.org
5mail.newday.host
5mail.blep.cz
5mx.xserownia.net
5mx2.ironie.org
5smtp.maths.network
5mail.rs-netzwerk.de
5postbox.idefix.net
5mail.seelentium.de
5mail.saschagaspar.net
5mail.no-uce.de
4turing.lentil.org
4chaos.olympe.lurenzu.org
4ouranos.olympe.lurenzu.org
4promethee.olympe.lurenzu.org
4mail.little-brother.eu
4mail.delorus.de
4dsrun.de
4mx.transparent-hosting.eu
4de1.colincogle.name
4smtp.hs-bund.de
4eu.colincogle.name
4mx1.riseup.net
4mail.rkfomh.net
4useast.colincogle.name
4mars.kerschersys.de
4srv002.osdbrw.de
4mail.region46.de
4mail.server-schwabe.de
4mail.birdee.at
4smurb.de
4mailu.derewonko.com
4mail.patrickheyer.com
4mail1.zillner.it
4mc.ulischaefer.de
4mail.astralus.com
4mail.zeyrox.de
4mailin02.astralus.com
4mail.abdene.dk
3mail.smnz.de
3mail.smart-tux.de
3vmail1.greenie.net
3eclipse.servonline.de
3mx2.alotof.it
3mail.rootonline.de
3node2.projektzentrisch.de
3node1.projektzentrisch.de
3prod-demo000.zivver.net
3mxbackup.dikof.eu
3mail.cotsworth.com
3mx.boxencrypt.com
3mail2.myocastor.de
3mail.hr2server.de
3osmundaregalis.oakforest.in
3mail.goik.de
3mail.murgi.de
3mail6.jth.net
3mail2.alanwest.com
3gaia.ipv6.olympe.lurenzu.org
3chaos.ipv6.olympe.lurenzu.org
3gaia.olympe.lurenzu.org
3mail.medien-selber-machen.de
3mail.frykholm.com
3mali.rattenkot.io
3munchen.trost.se
3mx1.lindenberg.one
3mail.ferretporn.se
3celestia.ferretporn.se
3mail.fam-schuetzer.de
3ben.mdewendt.de
3tim.mdewendt.de
3mail2.sheridanwest.com
3mail.cpfroehlich.de
3mail-02.own-mail.eu
3promethee.ipv6.olympe.lurenzu.org
3ouranos.ipv6.olympe.lurenzu.org
3mail.dermichi.com
3mail.dikof.eu
3mx3.alotof.it
3arrakeen.geekwu.org
3hermine.thw-hermeskeil.de
3smtp.bezdeka.de
3mx02.smnz.de
2mail2.theyosh.nl
2mx.jgosmann.de
2smtp.ortegamartinez.me
2mx.jitsi-meet.de
2thylacine3.cfaerber.name
2lima.ahrain.net
2mail.ahrain.net
2venus.br-hq.net
2mail.fuenfer.net
2arsenic.violacea.com
2mail.ls-srv.de
2ns4.jth.net
2mail.laponders.com
2node1.muam.de
2node2.muam.de
2node1.mucn.de
2node2.mucn.de
2xenon.blue-neutrino.com
2smtp.picomail.net
2mail.reisingerfamily.net
2mail.sajat.net
2mail.nsb-software.de
2polaris.svanheule.net
2mail.petg.cz
2smtp.virteck.net
2mail.xs4me.net
2redstonesucht.de
2mx.rzrd.de
2rz2.siegnetz.de
2mail.state-of-mind.de
2www.bedios.de
2mx.techthisout.de
2mail.tempcup.de
2mail.jordanmlu.nl
2mail2.jordanmlu.nl
2mail.kijdo.nl
2mail.microstof.nl
2mail.cghc.de
2mail.patthemav.com
2mail.primaudialrecords.com
2mail.pleijster.nl
2mail1.theyosh.nl
2mail.ednodarvo.io
2hal.ws-team.de
2mail.zoopnet.de
2mx.fibianet.dk
2mail.z7.dk
2mx2.cert.ee
2mx3.cert.ee
2zimbra.dreamradio.org
2mail.giblet.eu
2smtp.dasuku.de
2delorus.de
2mail.post-x.org
2ocean.trasno.org
2sada.trasno.org
2mail.tuxlinux.eu
2mail.marques.pub
2mail.pasion.ro
2mail.finsas.de
2mail.fortmail.de
2mail.blafasel.at
2vps.o2r.fr
2andromeda.divjak.at
2smx001.mao.systems
2smx002.mao.systems
2mail.genano.de
2stargate.divjak.at
2mail.themavlive.com
2srv.hermessrv.de
2mailstore.ab-data.us
1mail.xs2net.nl
1mail.fimpen.nu
1mail.mingxu.one
1mx.sportvereine.online
1adblockextreme.org
1mail.asprion.org
1mx2-nyc.calyxinstitute.org
1mail.akerman.eu.org
1melusine.eu.org
1cumin.exim.org
1mail.gentoo.org
1mail.gkbs.org
1com.krot.org
1mail.mdevries.org
1mail.negroniclub.org
1mail.papy-team.org
1mail.plevenlab.org
1backupmx.smartsailing.org
1mail.smartsailing.org
1coruna.trasno.org
1mail.ts-it24.org
1mail.wissenschafftfreiheit.org
1mail.wissenschaftfreiheit.org
1mail.muesli.party
1mx.orzechot.pl
1mx.teslamed.pl
1puzio.waw.pl
1mx1.zerotrust.plus
1mail.cored.pro
1smtp1.marques.pub
1smtp2.marques.pub
1mail.my-cloud.rocks
1mail.sbspp.ru
1mx.sbspp.ru
1mail2.coffes.se
1flisanetwork.se
1nikesec.se
1mail.tobiaseriksson.se
1email.sorriaux.software
1mx1.kuhmunity.space
1mail.kooperation.team
1mx.r2w.tech
1mail1.jan.tm
1mail.azerov.tv
1mail.klardenken.tv
1mail.juniperchick.co.uk
1mail.martiniclub.co.uk
1mail.sanctus.co.uk
1mail.yatyin.co.uk
1mail.juniperchick.uk
1sarahlicity.me.uk
1mail.civitas.vc
1mail.darkrage.vip
1mail.da.wtf
1mail.737900.xyz
1smtp.hllr.xyz
1one.mx.ltgt.xyz
1two.mx.ltgt.xyz
1mail.dorian.amsterdam
1mail.pomazan.xyz
1catdoesboom.art
1mx01.skyforge.at
1birdsonghouse.be
1emailus.be
1glasgestaltung.biz
1mail.informaticadigital.com.br
1mail.uranux.com.br
1mail.ler.cordeiro.nom.br
1omail.ler.cordeiro.nom.br
1mail.brinton.ca
1mail.joergi.ch
1mail21.ch
1mx.demi.cloud
1mx2.demi.cloud
1mx.siebel.cloud
1mail.sunsun.co
1adblockextreme.com
1mx64.adelton.com
1mx66.adelton.com
1mail.agent-est.com
1mail.annemarielaponder.com
1mx1.azumail.com
1mx2.azumail.com
1melisandre.darkspacelab.com
1mx2.dermichi.com
1digilicious.com
1mail.disgruntledcode.com
1mail2.disgruntledcode.com
1mail.dm4productions.com
1mail.estroh.com
1mail.facubo.com
1flisanetwork.com
1genehightower.com
1mail.hohenloher-molkerei.com
1mail.istar-link.com
1mail.juniperchick.com
1mail.kincke.com
1mail.kostalli.com
1mail.liverado.com
1mail.martiniclubuk.com
1smtp.mastarin.com
1mail.mojootti.com
1mx-01.nakene.com
1mail.negroniclubuk.com
1neverwasinparis.com
1netspam-email.mail.cloud.nospamproxy-staging.com
1mx.pubmx.com
1mailcow.rarlab.com
1mail.robsremodeling.com
1ryanrichardwalker.com
1mxa.secumailer.com
1mail.shellwen.com
1smtp4out.std-service.com
1mail.sunsungems.com
1mail.sunsunjewelry.com
1mail.takarosapartman.com
1mx6.tlapka.com
1mail.ultimatelucidgrowth.com
1vps.vanmelick.com
1vip5.vip-vmail.com
1mail.worldmartiniday.com
13afm.company
1mail.3afm.company
1smtp.ecn.cz
1mx1.finalhosting.cz
1mail.ivusn.cz
1mail.lukysek.cz
1mail.ptv.cz
1acc-host.accordimento.de
1mail.aguehl.de
1mail.amtare.de
1mail.azerov.de
1mail.battlehawks.de
1mail.bv-w.de
1mx2.sys.ccs-baumann.de
1mail.christopherfuchs.de
1mailbackup.christopherfuchs.de
1mx01.chroup.de
1mail.clouddrop.de
1fire.crza.de
1hamilton.deprecate.de
1mail.duesseldorferboys.de
1smtp.einwegkunststofffonds.de
1smtp.ewk-test.de
1host.f-sulzmann.de
1paladin2.frews.de
1mail.gamerangerz.de
1mail.ganneff.de
1mx01.gcsfb.de
1mail.hanse-logistic.de
1mail.heitepriem.de
1curve.hertzkurve.de
1mail.hu-si.de
1mail2.hu-si.de
1hungeri.de
1mail.in42.de
1mx01.ipv6help.de
1mail.j3e.de
1mail.jobei.de
1mailz.khbarth.de
1kielmonitor.de
1mail.lpcom.de
1mailgw.lulaits.de
1mx1.mahlangeni.de
1server.mal-noh.de
1mail.markwardt-software.de
1mail.matthias-bergt.de
1mail.metalabs.de
1mail.mindcode.de
1linux02.mk25.de
1server2.muellenbach-cloud.de
1mail.mueller-benedikt.de
1mx1.mxservices.de
1mail.pfeiferocks.de
1mail.plaggemeier.de
1mail.projekt-pusztahunde.de
1sandor-m.de
1slave003.shsh.de
1mail.steb-fd.de
1smtp2.strotmann.de
1mail.supertoasty.de
1mail.taitanuit.de
1mail.tbz-pariv.de
1mail2.tbz-pariv.de
1mail.terrab.de
1mail.tincloud.de
1mail2.tincloud.de
1trustserv.de
1mail.ts3serverbot.de
1mail.ttmab.de
1mail.vassbeck.de
1mail.winter95.de
1mx.nl.srv.evropa.email
1godberd.email
1mail.2dos.eu
1jivie.eu
1mail.libraoptima.eu
1mail.nobugz.eu
1mail.schachverein-fideler-bauer.eu
1mail.skipo.eu
1mail.subse.eu
1mail.tincloud.eu
1mail2.tincloud.eu
1mx2.transparent-hosting.eu
1mail.pascher.family
1test.farm
1vmp.nopanen.fi
1zen.slf.fish
1mail.bois-terre-paille.fr
1mail.brit-hotel-fumel.fr
1home.o2r.fr
1mail-in.o2r.fr
1smtp.picordi.fr
1smtp.savioz.fr
1mail.test-domaine.fr
1mail.voyelle-co.fr
1regulus.brecht-schule.hamburg
1mx.nusantarasoc.id
1vps.jell.ie
1mail.oosten.in
1mail.heitepriem.info
1nextrus.info
1mail.pinched.info
1mail.potters.info
1mx1.sdeziel.info
1alcamilo.dedyn.io
1mail.portman.io
1mail.savioconsulting.io
1mail.vall.is
1mx1.alotof.it
1ticonderoga.alxchk.me
1mail.kroeb.me
1smtp.shelton.me
1mail.wum.me
1mail.klein.mx
1adblockextreme.net
1mail.alarsen.net
1mail.cphpvb.net
1mail.fobul.net
1mail.goppold.net
1mail2.goppold.net
1mx.iomaestro.net
1mail.juniperchick.net
1karakafa.net
1mail.karakafa.net
1mail.karkand.net
1mx.kawaii15.net
1mail.klein-it.net
1vps1.kobezda.net
1mail.koeroo.net
1mail.lbcfree.net
1smtp.lbcfree.net
1mail.macip.net
1mx.malota.net
1smtp.miltonroad.net
1mail.netfg.net
1mail.netpixeldesign.net
1vmp.nopanen.net
1oumlaut.net
1mail.oumlaut.net
1ozgurgokmen.net
1mail.ozgurgokmen.net
1r3bo0t.net
1mail.rehaag.net
1mail.skyonesg.net
1testserver.smartrns.net
1mail.svizac.net
1mail.topophile.net
1mail.uptheinter.net
1virteck.net
1mail.vmcall.net
1plesk.247guide.nl
1mail.airluxairco.nl
1annemarielaponder.nl
1mail.boerskashandelsonderneming.nl
1mail.camerabeveiliging-profs.nl
1clubredders.nl
1kirkman.corstiaanhol.nl
1mail.d00.nl
1danshans.nl
1mail.dekerkvantoen.nl
1mail.dieseltreinen.nl
1mail.digi-na.nl
1mail.digimortals.nl
1mail.dorianharmans.nl
1dosba.nl
1mail.drone-movies.nl
1hondensurprisebox.nl
1huisit.nl
1mail.ikmailmeteidas.nl
1mail.ikmailmetzorg.nl
1mail.ikmailveilig.nl
1mail.ikmailvertrouwd.nl
1mail.in-deco.nl
1mail.int18.nl
1isatiscybersecurity.nl
1itthuis.nl
1mail.johannesmeyers.nl
1mail3.jordanmlu.nl
1mail.laponders.nl
1lifeguardcollege.nl
1mjtverhoef.nl
1mail.narrowcastingbysmash.nl
1mail.netwerk-profs.nl
1poortvlietdelft.nl
1mail.router-profs.nl
1mail.smash-cb.nl
1mail.smashcb.nl
1mail.theyosh.nl
1mail3.theyosh.nl
1mail.ubiquiti-profs.nl
1mail.unifi-profs.nl
1mail.wifi-profs.nl
1mail.woohooyeah.nl