Look up the TLSA records published at _25._tcp.<mx-host> for a domain's MX hosts. DANE (RFC 6698) lets you pin your SMTP cert hash in DNS so receivers don't have to trust public CAs. Only meaningful when the parent zone is DNSSEC-signed; the tool flags that gap.
DANE protects against active attackers who can intercept your SMTP traffic and present a forged certificate. Without DANE, the receiver only knows "this cert was issued by some CA my system trusts." With DANE, the receiver checks "this cert's hash matches the one the domain published in DNS."
The catch: DANE only works if the TLSA record itself can't be forged. That requires DNSSEC to be in place and validating end-to-end. Publishing TLSA without DNSSEC is theatre — an attacker who can spoof DNS spoofs the TLSA record too. Run our DNSSEC checker to confirm the signing chain is intact.