Hoping to help anyone having challenges configuring "scan to email".  Pay it forward, as they say.

After 11 hours (embarrassing) trying to make my MFP 4101fdwe work with CA certificates (because the error messages said that was the issue), I finally succeeded (without the CA certificates).  The MFP 4101fdwe is targeted for SMB (Small Medium Business) or other medium and higher duty cycle environments, which is why we have one for WFH (Work From Home).  The MFP 4101fdwe is also configured for SMB security - hence (I'm really guessing) a default to check for certificates when scanning.

TL;DR (aka summary)

Tip #1 - if this is a printer for personal use, certificate validation may not be practical (it wasn't for me)

Tip #2 - if you have a **bleep** account, use it.  If you don't, consider one and dedicate it to "scan to email" (not shilling)

Tip #3 - use the **bleep** 2FA "app password" (well documented online) for your **bleep** SMTP password

Tip #4 - UNCHECK the option to validate using a CA certificate in the email portion of the "scan to email" config (this may seem obvious, but not if you're going down the hopeless rabbit hole with CA CSRs, self-signing certs, etc.).

NOTE - **bleep** is fast, and if you follow good security hygiene, it can be very secure.  I "scan to email" and by the time I walk to my computer, the scan is already in my inbox (again, not shilling for **bleep**).

Abbreviated How-To for home use

Step #1 - make the alert email work (no certificate required) - usual security caveats of a unique, long, random pwd for SMTP

Step #2 - configure scan to email the same as your alert email AND UNCHECK the CA certificate validation option

Step #3 - keep your printer firmware up to date (because internet)

Step #4 - still getting certificate error messages? There's probably a checkbox that needs to be unchecked somewhere (CA certificate validation is the default config)

Here's what I learned along the way (for home use)

1.  CA Certificates don't make sense if you don't have a long-term SSL certificate for the domain you are trying to mail to.  For example, you host your website and/or email with Network Solutions, GoDaddy, Hostgator, etc. - these are all 90-day third-party SSL certificates (e.g. letsencrypt.org, etc.).  You could hypothetically make "scan to email" work with short-term SSL, but you would need to update your printer certificate every 90 days.  If you have a mid-size business and are hosting your business with AWS or Rackspace, etc. then using SSL certificates from GoDaddy or other CA with 1-2 year durations, and you have a good understanding of SSL, then certificates can make a lot of sense (and you're probably not reading this).  For me, this is a WFH printer shared by family.  Using a major company email and their SSL certificate for professional AND personal scanning didn't seem smart professionally for security and so many other reasons.  After all, just how secure is your internet connected printer with your home firewall (even if you keep the firmware up to date)?  I just didn't want the liability.

2.  The admin UX is confusing when configuring scan to email, as it still includes a checkbox for the certificate.  It's even more confusing because this checkbox does not exist for configuring email alerts.  What finally clued me in was that the email alerts were working in spite of the certificate error messages when trying to scan to email.

Good luck - hope this helps.