There could be a fourth way: something like _25._tcp.my.mailserver IN CNAME _dane.letsencrypt.org., if LE would be DNSSec signed (they aren't yet) and willing to maintain a TLSA "2 1 1" record with all their active, standby and upcoming intermediates, as they are the obvious authoritative source for this information. This would free users from having to duplicate and maintain this information in their own zones (and as such be more DNS cache friendly, too).
One drawback is that with CNAME, you can only delegate to a single authoritative record, not multiple ones if you use multiple CA's.