The major changes in the Let's Encrypt issuer CA lineup noted in my previous post:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/ZTM3XQM...
are now largely completed. Of the ~46000 domains with working DANE-TA(2) TLSA records matching a Let's Encrypt intermediate issuer, just 62 are still based on R3, and none on X3, X4, R4, E1 or E2.
These last few R3 issued certificates will either be renewed or will expire by September 4th.
Therefore, if you haven't done so already, please read the fine advice in:
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
and switch to R10..R14 or E5..E9 (or rarely both) as appropriate. If you prefer to instead pin the ISRG root CAs, you MUST ensure that your SMTP server's chain file also includes the ISRG X1 or ISRG X2 root (whichever happened to issue the intermediate CA cert), and then you can publish TLSA records matching these roots.
https://dane.sys4.de/common_mistakes#4 https://github.com/Mailu/Mailu/issues/2138 https://datatracker.ietf.org/doc/html/rfc7671#section-5.2.3
Note that some MTA operators have made the mistake of listing just R10 or R11 (similary just E5 or E6), whichever was the first new issuer they saw, without understanding that the issuer will randomly rotate between these, and may in an emergency be one of their backups.
DO NOT be tempted to skimp on the list of published TAs, if you're keen on using DANE-TA(2) with Let's Encrypt, publish the full set, and keep track of periodic Let's Encrypt service announcements.
An of course, DO NOT neglect monitoring, perhaps based on:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/thread/NKDBQABS...
And of course, it may be simplest to stop playing Let's Encrypt TA whack-a-mole, and switch to "3 1 1" records:
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
Perhaps with the aid of:
https://github.com/tlsaware/danebot
or similar/equivalent. Best of luck, but, if can you pay attention to detail, you should not need it.