Deploy DNS CAA
Because the plan in #9026 (closed) to deploy HPKP may have been hindered by Chrome’s desire to remove HPKP support, it may be a good idea to instead (or additionally) deploy CAA. It has weaker guarantees than HPKP and in particular assumes the CA to be trustworthy, but is a significant improvement over the default state. Its support has recently been mandated and now all DNS servers and CAs support it. Deployment requires nothing more than creating a new DNS record.