That’s not what I meant, specifically what I was suggesting was three DNS records:
A: forum.domain.tld → host IP address (proxy enabled)
A: mail.domain.tld → host IP address (DNS Mode Only)
MX: forum.domain.tld → mail.domain.tld
However as mentioned, I later realised that would only work in the default opportunistic TLS mode, it will not work if you (someone) also want to enable DANE or MTA-STS to enforce identity authentication (ensure the correct server is being connected to rather than only encrypt traffic).
They look very good, easy to follow and does everything outside the container so there’s no risk of it potentially breaking with Discourse updates. I particularly like the use of a certbot renewal hook which I wasn’t familiar with before.