You declare HSTS preload, but you are not in the preload list. You can not be added to the preload list at https://hstspreload.org/ because www.rootshell.is exists but has an invalid certificate.

Your MX TLS configuration supports various anon ciphers. These should be disabled.

Your DANE is broken. Try any of a number of freely available online validators.