diff --git a/README.md b/README.md
index e734a0d..0afc141 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,11 @@ Run the unified diagnostics script from the repository root:
 ```
 This combines the previous `diagnostic.sh` and `health_check.sh` checks.
 
+## Mail Security TODOs
+- Enable DNSSEC at the DNS provider and ensure DS/DNSKEY are published.
+- Add TLSA (DANE) records after DNSSEC is active.
+- Verify MTA-STS policy and TLS-RPT DNS records after propagation.
+
 ## Install
 ### Prerequisites
 1) Copy the env and docker-compose.override.yml to the service directories via the script.