Help understanding this Email security Diagram


I would like to ask regarding the following diagram where the receiving MTA is reaching its own DNS to verify the sender’s X.509 cert. Is this always the case for DANE? Can’t he query the sender DNS for that?

Email sec