@adamjedgar So for me, on domains.google.com I currently have a TLSA type record for my Virtualmin served domains to implement DKIM verification for Mailgun because I send out all mail through them. I did that because I’m still too cheap to buy a Static IP, and couldn’t figure a way to get mail to leave my server without doing the Mailgun type thing.
I used to have glue records at domains.google.com but I got rid of them when I realized I had a way to automate my DHCP address changes.
Since the glue records are static there, I cannot use Virtualmin to implement DKIM / DANE type authentication unless I manually alter the IP of the glue records at each Dynamic IP change, right?