diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 155e3337..7cde30b9 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -281,7 +281,7 @@ class Domain(Base):
     def dns_tlsa(self):
         """ return TLSA record for domain when using letsencrypt """
         hostname = app.config['HOSTNAME']
-        if True:# app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
+        if app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
             return [
                 # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
                 f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3',
diff --git a/core/admin/mailu/ui/views/domains.py b/core/admin/mailu/ui/views/domains.py
index 5262032b..a3b78204 100644
--- a/core/admin/mailu/ui/views/domains.py
+++ b/core/admin/mailu/ui/views/domains.py
@@ -81,8 +81,7 @@ def domain_download_zonefile(domain_name):
         txt = ' '.join(f'"{txt[p:p+250]}"' for p in range(0, len(txt), 250))
         res.append(f'{record} {txt}')
         res.append(domain.dns_dmarc)
-    for tlsa in domain.dns_tlsa:
-        res.append(tlsa)
+    res.extend(domain.dns_tlsa)
     res.extend(domain.dns_autoconfig)
     res.append("")
     return flask.Response(