The TLSA records fail to validate the certificate chain. Inbound email may be delayed or not delivered

I have received this e-mail:

About the DANE Survey: https://stats.dnssec-tools.org/about.html
DANE Survey Statistics: https://stats.dnssec-tools.org/

The TLSA RRsets of some of your email servers do not match their actual
certificate chains. This impedes email delivery to your domain. Please
monitor your systems and adopt a better key rotation approach, what
you’re doing now is fragile and does not work reliably. It is better to
have no TLSA records than to have incorrect TLSA records.

Issue details for the affected domains:

domain.win
domain2.uk
domain3.co.uk
domain4.uk
domain5.wiki
domain6.co

can be seen at:

http://stats.dnssec-tools.org/explore/?domain.win

Suggested more robust TLSA record management approaches can be found via:

https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

You can test your SMTP server DANE support at:

https://dane.sys4.de

But MIAB running v0.40 is saying everything is good, apart of version not being up to date …