Re: Ignorance of certificate technology
Mail clients will generally check that a certificate is valid to the extent that it is issued by a trusted issuer and in date. That doesn't stop you using a valid cert for dodgy purposes though. If you put a Lets Encrypt cert somewhere (as was done in this case) then the client will accept it without throwing a warning/error.
CAA records now exist so you can declare which CAs are able to issue certs for your domain using DNS. Haven't seen them used much yet though and I am not sure if mail clients check them.