Server domains are intended to map a hostname which doesn't exist as a website to one of your servers. Enhance will then attempt to provision a LetsEncrypt certificate and map it automatically to the various email services (IMAP, POP, SMTP) on that server. The server domain is shown to your customers as their incoming/outgoing mail server.
We use DNS validation rather than HTTP validation when requesting LetsEncrypt for server domains. Therefore the parent of your server domain (domain.tld in this case) needs to be delegated to your Enhance DNS cluster rather than being pointed with an A record or CNAME.
The reason this functionality exists is that some clusters have servers which are email-only and therefore don't have a web server to use HTTP validation.
mail01.domain.tld is an ideal server domain. You shouldn't use any domain which matches your control panel, phpMyAdmin or Roundcube domains or which you might want to use for a website later.
Server domains aren't really required for the app servers since websites each have their own SSL - the only place it's used is for FTP over TLS which very few customers use. If you raise a support ticket and let us know the domains we can check the DNS and try to suggest why the LetsEncrypt wasn't provisioned. You can also run "docker logs orchd" on the control panel server which should provide more insight.
In a future update to Enhance, we will provision LetsEncrypt for mail.{customerDomain} and map this to the POP/IMAP/SMTP server for that website so the customer can use this instead of the server domain.