Some of the domains I've tested exhibit sporadic TLSA record DNS lookup errors, with some of the domain's nameservers working fine, and others not so well. DANE mail to these sites gets through eventually, but perhaps with some delay. You can see some of the problems at the URLs below:

http://dnsviz.net/d/_25._tcp.mx.edpescelsa.com.br/dnssec/ http://dnsviz.net/d/_25._tcp.smtp1.gencat.cat/dnssec/ http://dnsviz.net/d/_25._tcp.mail.edsi-tech.com/dnssec/ http://dnsviz.net/d/_25._tcp.mail.intersatafrica.com/dnssec/ http://dnsviz.net/d/_25._tcp.mailserver.planetvampire.com/dnssec/ http://dnsviz.net/d/_25._tcp.mailhost.bncr.fi.cr/dnssec/ http://dnsviz.net/d/_25._tcp.www.linuxdays.cz/dnssec/ http://dnsviz.net/d/_25._tcp.smtp.richland.edu/dnssec/ http://dnsviz.net/d/_25._tcp.mta0.core.aeschi.eu/dnssec/ http://dnsviz.net/d/_25._tcp.exceed-it.eu/dnssec/ http://dnsviz.net/d/_25._tcp.smtpedge2.uspto.gov/dnssec/ http://dnsviz.net/d/_25._tcp.mx2.dnet.net.id/dnssec/ http://dnsviz.net/d/_25._tcp.dmg2.dtic.mil/dnssec/ http://dnsviz.net/d/_25._tcp.mailproxy.cnic.navy.mil/dnssec/ http://dnsviz.net/d/_25._tcp.transport.hub210.net/dnssec/ http://dnsviz.net/d/_25._tcp.mx1.kurty.net/dnssec/ http://dnsviz.net/d/_25._tcp.mail.zwei.net/dnssec/ http://dnsviz.net/d/_25._tcp.mailfilter.webguru.nl/dnssec/ http://dnsviz.net/d/_25._tcp.rejo.zenger.nl/dnssec/ http://dnsviz.net/d/_25._tcp.smtpin1.stgraber.org/dnssec/ http://dnsviz.net/d/_25._tcp.charybda.torinthiel.pl/dnssec/ http://dnsviz.net/d/_25._tcp.brownsugar.se/dnssec/ http://dnsviz.net/d/_25._tcp.mailgw01.harnosand.se/dnssec/ http://dnsviz.net/d/_25._tcp.em01.jhwbg.se/dnssec/ http://dnsviz.net/d/_25._tcp.manc.se/dnssec/ http://dnsviz.net/d/_25._tcp.nllplus.se/dnssec/ http://dnsviz.net/d/_25._tcp.rafel.se/dnssec/

Problems include:

* Warnings about glue NS records differing from authoritative NS records (some of the "extra" nameservers don't support DNSSEC, refuse service, ...).

* Warnings about likely UDP fragmentation problems (no response unless EDNS0 payload is reduced).

* Some nameservers reachable only via TCP

* Some nameservers refusing service for the domain

* Some nameservers not returning NSEC or NSEC3 records with denial of existence.

* Some nameservers returning the wrong or partial NSEC3 records, failing to take into account intermediate domains between the zone apex and the qname.

* Some nameservers returning nonsense NSEC records

* Expired RRSIGs on a subset of the nameservers.

* NODATA instead of NXDOMAIN for a subset of the nameservers.

* NSEC records with no RRSIG for a subset of the nameservers.

Bottom line, please check your DNS from time to time. Even if mail is getting through, and DANE tests report success, there may be some latent problems.

And if anyone on this list owns the above domains, or knows the responsible parties, please correct your DNS or reach out to your contacts.