[Arnt]

LE doesn't need any A or AAAA record. The domain must exist in the DNS and you must be able to create records in the domain.

If you're using internet mail you have a domain, so you can do this. The time for self-signed certificates has passed.

[kortilla]

A pinned self cert is still more secure than this because you don’t have to trust any CAs.

> The time for self-signed certificates has passed.

This is bad blanket advice and very much depends on use-case.

[Arnt]

Software is a collective. A billion or so people get the same software. The time for self-signed certs has passed because supporting that in software for a billion people opens up some of that billion to attack.

The few people who understand the niceties of certs can create a private CA, trust that, and use that CA to sign a regular cert. Doing that is nontrivial, but it doesn't put other people at risk.