The TLSA records fail to validate the certificate chain. Inbound email may be delayed or not delivered

I have received this e-mail:

About the DANE Survey:
DANE Survey Statistics:

The TLSA RRsets of some of your email servers do not match their actual
certificate chains. This impedes email delivery to your domain. Please
monitor your systems and adopt a better key rotation approach, what
you’re doing now is fragile and does not work reliably. It is better to
have no TLSA records than to have incorrect TLSA records.

Issue details for the affected domains:

can be seen at:

Suggested more robust TLSA record management approaches can be found via:

You can test your SMTP server DANE support at:

But MIAB running v0.40 is saying everything is good, apart of version not being up to date …