I have enabled DNSSEC at the registrar, but had to remove their entry. They removed the signing 16 days ago (must enough time to be not cached by public DNS anymore), but third party mailserver (such as tutanota.com, posteo.de etc.) that are DANE-enabled mail servers do still x-check and see an entry, thus not delivering (because guess they assume MiaB is under attack). They recognize MiaB still supports DANE (cf. posteo).
Short check at SidnLabs DANE Test revealed the following:
_"Warning! TLSA records for _443.tcp.box.emailserver.com. were found, but were insecure.
PKIX validation without DANE will be performed. If you wish to perform DANE
even though the RR’s are insecure, use the -d option.
Warning! Insecure IPv4 addresses. Continuing with them…
99.999.99.999 dane-validated successfully"
How can I solve this issue?