Symptoms
Some outbound emails may return, or bounceback, with the following error reported in your Exim Mainlog:
R=dkim_lookuphost T=dkim_remote_smtp defer (-36): DANE error: tlsa lookup DEFER
Description
What this error usually indicates is that the recipient server of your email message is requiring that your domain have a DANE record. A DANE record is a DNS record that allows you to securely specify exactly which TLS/SSL certificate an application or service should use to connect to your site.
A DANE record is a feature that uses a DNSSEC signed zone to tell the client which SSL/TLS certificate to use when connecting to a certain service.
Workaround
As of right now, cPanel does not support adding DANE records via the "Zone Editor" of cPanel or WHM. However, there is a feature request to add support for this here:
cPanel Feature Request - DANE and TLSA
In the meantime, there is a workaround to manually create and add your own DANE record for the domain. This is mentioned in a comment in this feature request here.