diff --git a/core/admin/mailu/api/v1/domain.py b/core/admin/mailu/api/v1/domain.py
index c5f98530..2edb10d2 100644
--- a/core/admin/mailu/api/v1/domain.py
+++ b/core/admin/mailu/api/v1/domain.py
@@ -39,20 +39,20 @@ domain_fields_get = api.model('DomainGet', {
     'dns_autoconfig': fields.List(fields.String(description='DNS client auto-configuration entry')),
     'dns_mx': fields.String(Description='MX record for domain'),
     'dns_spf': fields.String(Description='SPF record for domain'),
-    'dns_dkim': fields.String(Description='DKIM record for domain'),
+    'dns_dkim': fields.String(Description='DKIM records for domain'),
     'dns_dmarc': fields.String(Description='DMARC record for domain'),
     'dns_dmarc_report': fields.String(Description='DMARC report record for domain'),
-    'dns_tlsa': fields.String(Description='TLSA record for domain'),
+    'dns_tlsa': fields.List(fields.String(Description='TLSA records for domain')),
 })
 
 domain_fields_dns = api.model('DomainDNS', {
     'dns_autoconfig': fields.List(fields.String(description='DNS client auto-configuration entry')),
     'dns_mx': fields.String(Description='MX record for domain'),
     'dns_spf': fields.String(Description='SPF record for domain'),
-    'dns_dkim': fields.String(Description='DKIM record for domain'),
+    'dns_dkim': fields.String(Description='DKIM records for domain'),
     'dns_dmarc': fields.String(Description='DMARC record for domain'),
     'dns_dmarc_report': fields.String(Description='DMARC report record for domain'),
-    'dns_tlsa': fields.String(Description='TLSA record for domain'),
+    'dns_tlsa': fields.List(fields.String(Description='TLSA records for domain')),
 })
 
 manager_fields = api.model('Manager', {
diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 2cad7afb..7cde30b9 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -282,8 +282,13 @@ class Domain(Base):
         """ return TLSA record for domain when using letsencrypt """
         hostname = app.config['HOSTNAME']
         if app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
-            # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
-            return f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3'
+            return [
+                # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
+                f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3',
+                # current ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2) @20240311
+                f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332',
+            ]
+        return []
 
     @property
     def dkim_key(self):
diff --git a/core/admin/mailu/ui/templates/domain/details.html b/core/admin/mailu/ui/templates/domain/details.html
index 74657c28..d32cf740 100644
--- a/core/admin/mailu/ui/templates/domain/details.html
+++ b/core/admin/mailu/ui/templates/domain/details.html
@@ -48,11 +48,10 @@
   </td>
 </tr>
 {%- endif %}
-{%- set tlsa_record=domain.dns_tlsa %}
-{%- if tlsa_record %}
+{%- if domain.dns_tlsa|length > 0 %}
 <tr>
-  <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt</br>ISRG Root X1</span></th>
-  <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">{{ tlsa_record }}</pre></td>
+  <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt ISRG Roots</span></th>
+  <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">{{ domain.dns_tlsa | join("\n") }}</pre></td>
 </tr>
 {%- endif %}
 <tr>
diff --git a/core/admin/mailu/ui/views/domains.py b/core/admin/mailu/ui/views/domains.py
index dcd1aedd..a3b78204 100644
--- a/core/admin/mailu/ui/views/domains.py
+++ b/core/admin/mailu/ui/views/domains.py
@@ -81,8 +81,7 @@ def domain_download_zonefile(domain_name):
         txt = ' '.join(f'"{txt[p:p+250]}"' for p in range(0, len(txt), 250))
         res.append(f'{record} {txt}')
         res.append(domain.dns_dmarc)
-    if domain.dns_tlsa:
-        res.append(domain.dns_tlsa)
+    res.extend(domain.dns_tlsa)
     res.extend(domain.dns_autoconfig)
     res.append("")
     return flask.Response(
diff --git a/towncrier/newsfragments/3191.feature b/towncrier/newsfragments/3191.feature
new file mode 100644
index 00000000..1fde020c
--- /dev/null
+++ b/towncrier/newsfragments/3191.feature
@@ -0,0 +1 @@
+Ensure that we encourage users to also pin ISRG X2 in their TLSA records