Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA "2 1 1" records matching "X3" will not match "R3" or "E1".
https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html
If you are using Let's Encrypt with DANE-TA(2) [issuer CA] TLSA records, any extant "2 1 1" records need to be augmented soon with additional records matching the new "R3" and "E1", in advance of these reissuing your certificates.
Failure to act in time is likely to result in an outage once renewals switch to signing via "R3" or "E1".
Links to the actual certificates can be found at:
https://letsencrypt.org/certificates/ https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-e1.pem
The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it, re-compute these for yourself):
; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
The above were computed with the attached "tlsagen" script, but it is prudent to also check with tools from other sources, this email message could well have been a forgery (I hope your copy matches what I sent).