@joseph Its kind of a hassle (to add main domain just to be able to send emails) .. But this worked 
At least for my case scenario. Luckily I am using CloudFlare for domains so I was able to get free wild cert for both main domain and sub domain and was able to add them free of cost. Would be a real inconvenience if the domain was setup elsewhere.
I wish (I hope) there would be a setting to disable those "SSO (OIDC or LDAP) and also Email" features if one does not require them at all. (for a very good reason).