You don't have to, because if the paymail is self-hosted, t…
You don't have to, because if the paymail is self-hosted, there is nothing a MITM attack could do. Only if they change it to a different domain do you need to know that a MITM is not possible, and that is why it makes sense to enforce DNSSEC in that case.