There are still ~250 MX hosts with DANE TLSA records that match the retired X3 or X4 Let's Encrypt CAs. Perhaps also other retired CAs, but these are the ones I'm tracking at:
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Please take care to avoid DANE TLSA records with the below usage, selector, matching type and associated data combinations:
CA TLSA Records of retired CAs to avoid X3 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18 X4 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B X3 2 0 1 731D3D9CFAA061487A1D71445A42F67DF0AFCA2A6C2D2F98FF7B3CE112B1F568 X3 2 0 1 25847D668EB4F04FDD40B12B6B0740C567DA7D024308EB6C2C96FE41D9DE218D X4 2 0 1 5DE9152BED31FA0515DD1FC746133F1327562EF72A84CF2D2403E748A604D0D4 X4 2 0 1 A74B0C32B65B95FE2C4F8F098947A68B695033BED0B51DD8B984ECAE89571BB6 X3 2 1 2 774FAD8C9A6AFC2BDB44FABA8390D213AE592FB0D56C5DFAB152284E334D7CD6ABD05799236E7AA6266EDF81907C60404C57EE54C10A3A82FCC2A9146629B140 X4 2 1 2 A0F5D1333BC90BCEA0B0B5F401160B6E7F28A1256BC5B5D65F04B06B0BB0C96270AA81D8E2726394D385BF3E9EE46EB4AB7548C782D5688CC16D0CDFFEFB8594 X3 2 0 2 5EC5B0783C6E667E0965DF772943A06326768DE0F75DC0BD2FE378F02CCCA7D56C987656174CBE158CC29ECD763F8BDA3454332CC7D47FB934691409C5FB8686 X3 2 0 2 2E1E12DACB350E69317A7F37D769F46F16F437CF8D392319279C93515E5600BAED3D3ACD5DC83B673E8C60CF7FBA0DCE00A4D162A3B966A3EBF72487C376FCA0 X4 2 0 2 74DDAD9F8CDFA0FE6F6B70301B557A63A58B87FC2C17FAE0F65E47D141226C062A74FA14861DC47A720BD8699B99091A06BD695CDDE51222F837B9DECFC270C5 X4 2 0 2 964468A5C685F305AA5865C049D814770B844DF2CF7645F9A4AFAF42957E334BCF1F290BABAAFE020C4E9A68C5689D570E37F11114FFD676C95B17B3D768B932
The reason that there are pairs of "2 0 1" and "2 0 2" records is that the X3 and X4 CAs were initially signed by DST and later by ISRG. All certificates issued via "X3" have long expired, and all replacements are using "R3" or "E1".
And of course if some other CA you've listed and haven't check up on sinc has since been retired, be sure to delist it as well.
DANE TLSA records are not "deploy and forget", they need to be actively monitored. Both to make sure that at least one matches, and to not forget to age out any that no longer match and might be stale.
Leaving monitoring to the DANE survey (https://stats.dnssec-tools.org) is neither timely nor reliable (~24 hours notification delay, if the domain is included in the survey and a responsive domain contact can be found).