diff --git a/infra/mta-sts/README.md b/infra/mta-sts/README.md
index 6b1d335..cef699c 100644
--- a/infra/mta-sts/README.md
+++ b/infra/mta-sts/README.md
@@ -13,3 +13,13 @@ resolves, run:
   sudo certbot certonly --webroot -w /var/www/certbot -d mta-sts.performancewest.net --non-interactive --agree-tos -m admin@performancewest.net
 then upgrade pw-mta-sts.conf to an HTTPS (443) server block (see pw-listmonk-hc.conf
 pattern) and reload nginx. MTA-STS requires the policy be served over valid HTTPS.
+
+## STATUS 2026-06-07
+- DNS A record added + policy file served over HTTP (working).
+- Cert issuance FAILED twice: HE.net secondary DNS is flapping (mta-sts resolves
+  on 1.1.1.1/9.9.9.9 but intermittently empty on 8.8.8.8), so Let's Encrypt's
+  multi-vantage validation can't get consistent resolution. nginx left on the
+  safe HTTP-only vhost. RETRY the certbot command above once `dig +short
+  mta-sts.performancewest.net` is stable across 8.8.8.8 / 1.1.1.1 / 9.9.9.9,
+  then upgrade to the 443 vhost. (nginx -t before any reload — a missing cert
+  ref will break the reload.)