Egregoros

@navi per RFC 2595 it needs to be vlhl.dev: "The client MUST use the server hostname it used to open the connection as the value to compare against the server name as expressed in the server certificate. The client MUST NOT use any form of the server hostname derived from an insecure remote source (e.g., insecure DNS lookup)."
RFC 7817 elaborates on this significantly but is afaik not implemented (its requirements for CAs conflict with CA/B Forum rules, for one), by my reading it would require clients to allow TLS certificates that match the domain part of the user's address and optionally also certs matching the user-entered mail server domain

@navi if you do want to host dns yourself tl;dr: install bind9, look at the quickstart configurations in https://bind9.readthedocs.io/en/stable/chapter3.html#configuration, on your registrar's settings set the nameserver(s) to the server(s) running bind9. note that the nameserver you set has to itself be a domain name and not an IP address, if you want it to be a subdomain you can make a special kind of record called a "glue record" that's served directly by the registrar and not the normal nameserver. namecheap calls this option a "Personal DNS Server" under "Advanced DNS" settings