diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 2cad7afb..155e3337 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -281,9 +281,14 @@ class Domain(Base):
     def dns_tlsa(self):
         """ return TLSA record for domain when using letsencrypt """
         hostname = app.config['HOSTNAME']
-        if app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
-            # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
-            return f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3'
+        if True:# app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
+            return [
+                # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
+                f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3',
+                # current ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2) @20240311
+                f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332',
+            ]
+        return []
 
     @property
     def dkim_key(self):
diff --git a/core/admin/mailu/ui/templates/domain/details.html b/core/admin/mailu/ui/templates/domain/details.html
index 74657c28..183f7d1c 100644
--- a/core/admin/mailu/ui/templates/domain/details.html
+++ b/core/admin/mailu/ui/templates/domain/details.html
@@ -48,11 +48,14 @@
   </td>
 </tr>
 {%- endif %}
-{%- set tlsa_record=domain.dns_tlsa %}
-{%- if tlsa_record %}
+{%- if domain.dns_tlsa|length > 0 %}
 <tr>
-  <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt</br>ISRG Root X1</span></th>
-  <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">{{ tlsa_record }}</pre></td>
+  <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt ISRG Roots</span></th>
+  <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">
+{%- for line in domain.dns_tlsa %}
+{{ line }}
+{%- endfor -%}
+  </pre></td>
 </tr>
 {%- endif %}
 <tr>
diff --git a/core/admin/mailu/ui/views/domains.py b/core/admin/mailu/ui/views/domains.py
index dcd1aedd..5262032b 100644
--- a/core/admin/mailu/ui/views/domains.py
+++ b/core/admin/mailu/ui/views/domains.py
@@ -81,8 +81,8 @@ def domain_download_zonefile(domain_name):
         txt = ' '.join(f'"{txt[p:p+250]}"' for p in range(0, len(txt), 250))
         res.append(f'{record} {txt}')
         res.append(domain.dns_dmarc)
-    if domain.dns_tlsa:
-        res.append(domain.dns_tlsa)
+    for tlsa in domain.dns_tlsa:
+        res.append(tlsa)
     res.extend(domain.dns_autoconfig)
     res.append("")
     return flask.Response(
diff --git a/towncrier/newsfragments/3191.feature b/towncrier/newsfragments/3191.feature
new file mode 100644
index 00000000..1fde020c
--- /dev/null
+++ b/towncrier/newsfragments/3191.feature
@@ -0,0 +1 @@
+Ensure that we encourage users to also pin ISRG X2 in their TLSA records