Now that I am able to contribute commits to the danefail list at:

https://github.com/danefail/list https://raw.githubusercontent.com/danefail/list/master/dane_fail_list.dat

I've pushed data for many of the domains served by MX hosts with persistent issues.

You can use this list to confirm that you're not the only one with delivery issues to one of the listed domains, and perhaps create exceptions for such domains in your configuration.

Also, please try to not end up on the list:

https://dane.sys4.de/common_mistakes http://imrryr.org/~viktor/ICANN61-viktor.pdf http://imrryr.org/~viktor/icann61-viktor.mp3

Do implement monitoring of your own TLSA records and DNSSEC zone. Do implement a key/cert rollover process that ensures that matching TLSA records are in place for both the old and the new cert have been in place for some time (multiple TTLs and slave zone refresh times) before deploying new certificate chains.

When using DANE-TA(2) TLSA records, make sure that the certificate does not expire, has a name that matches the MX hostname and the trust-anchor certificate is included in the server's chain file.