diff --git a/mailcow.yml b/mailcow.yml
index 8094159..707d630 100644
--- a/mailcow.yml
+++ b/mailcow.yml
@@ -416,6 +416,30 @@
         backup: yes
         validate: /bin/bash -n %s
 
+    - name: /usr/local/sbin/runchecks.d/danetlsa.check
+      blockinfile:
+        path: /usr/local/sbin/runchecks.d/danetlsa.check
+        mode: "0400"
+        owner: root
+        group: root
+        create: yes
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+        block: |
+          cd ${g_tmp}
+          host=mail.{{inventory_hostname}}
+          openssl s_client -showcerts -connect ${host}:443 < /dev/null 2>/dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
+          for cert in *.pem
+          do 
+            certname=$(openssl x509 -noout -subject -in ${cert} 2>/dev/null | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
+            [ "${certname}" != "${host}.pem" ] && continue
+            tlsa=$(openssl x509 -in "${cert}" -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | cut -d" " -f2)
+            dnstlsa=$(host -t TLSA *._tcp.${host} | cut -d" " -f 8,9 | tr '[:upper:]' '[:lower:]' | sed 's/ //g')
+            [ "${tlsa}" != "${dnstlsa}" ] && g_echo_error "DNS TLSA incorrect! *._tcp.${host} should be ${tlsa} but is ${dnstlsa} (host -t TLSA *._tcp.${host})"
+          done
+          rm *.pem
+          cd - >/dev/null
+        backup: yes
+        validate: /bin/bash -n %s
 
   handlers:
     - name: Restart mailcow