Issue Description
When trying to send emails to certain domains, delivery is not attempted because of a DNSSEC Negative Record Response, e.g. “DNSSEC Negative Record Response for in1-smtp.messagingengine.com. IN AAAA, Bogus”. This domain does not publish AAAA records for their MX hosts and DNSSEC signs this correctly with NSEC3. On top of that, Stalwart is configured to only send using IPv4, so an AAAA lookup seems irrelevant.
Expected Behavior
Stalwart delivers the email to the IPv4 IP of that name.
Actual Behavior
Message is queued for retry.
Reproduction Steps
- Send email to a domain that is DNSSEC signed and does not publish AAAA records for MX hosts, e.g. sent.com
Relevant Log Output
2026-06-23T17:06:06Z INFO IP address lookup failed (delivery.ip-lookup-failed) queueId = 314290291469231616, queueName = "remote", from = "[email protected]", to = ["[email protected]"], size = 1699, total = 1, domain = "sent.com", hostname = "in1-smtp.messagingengine.com", details = "Temporary Failure for in1-smtp.messagingengine.com: Connection failed: lookup error: DNS resolution error: DNS error: DNSSEC Negative Record Response for in1-smtp.messagingengine.com. IN AAAA, Bogus", elapsed = 358ms
Stalwart Version
v0.16.x
Installation Method
Docker
Database Backend
RocksDB
Blob Storage
RocksDB
Search Engine
Internal
Directory Backend
Internal
Additional Context
This happens with any DNS resolver, system, Cloudflare, custom, …
I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.
on
I have searched this support forum (open and closed topics) and confirm this is not a duplicate.
on
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
on
This is very revealing. Looking at the dnssec_ip_lookup function (lines ~206-213), there’s a critical issue: when the DNSSEC resolver returns an error for the AAAA query that is not DnsRecordNotFound (i.e., a DNSSEC “Bogus” validation error), it immediately returns that error via return Err(err) – even if IPv4 records were already found successfully. The code only silently absorbs the AAAA error if it is specifically a DnsRecordNotFound.
Now I have a clear picture of the issue. The source code confirms the root cause: when dnssec_ip_lookup is used, it queries both A and AAAA record types (based on the IpLookupStrategy), and if the AAAA query returns a DNSSEC error that is not DnsRecordNotFound, it returns that error immediately – even when IPv4 was found or when the strategy is IPv4-only. However, looking more carefully at the code, even with Ipv4Only strategy, the issue in the log says AAAA is still being queried. Let me check if there’s a DNSSEC-related setting in the TLS strategy that forces DNSSEC lookups.
Correction, the domains in question are unsigned.
2026-06-23T16:52:01Z INFO IP address lookup failed (delivery.ip-lookup-failed) queueId = 314190649744182272, queueName = "default", from = "[email protected]", to = ["[email protected]"], size = 2735, total = 1, domain = "rua.dmarc.emailanalyst.com", hostname = "mx5-prod.edatasource.com", details = "Temporary Failure for mx5-prod.edatasource.com: Connection failed: lookup error: DNS resolution error: DNS error: DNSSEC Negative Record Response for mx5-ec2.edatasource.com. IN AAAA, Bogus", elapsed = 161ms
delv a mx5-ec2.edatasource.com @1.1.1.1
; unsigned answer
mx5-ec2.edatasource.com. 600 IN A 3.214.30.137
delv aaaa mx5-ec2.edatasource.com @1.1.1.1
;; resolution failed: ncache nxrrset
; negative response, unsigned answer
; mx5-ec2.edatasource.com. 900 IN \-AAAA ;-$NXRRSET
Downgrade to v0.16.9 fixed it for now, seems to be a regression in v0.16.10.
Same problem here. Temporarly downgraded to v.0.16.9 - working again
Same problem here.
INFO IP address lookup failed (delivery.ip-lookup-failed) queueId = hiden , queueName = "remote", from = "``[email protected]``", to = ["``[email protected]``"], size = 1015, total = 1, domain = "``gmail.com``", hostname = "``mail-eu.smtp2go.com``", details = "Temporary Failure for ``mail-eu.smtp2go.com``: Connection failed: lookup error: DNS resolution error: DNS error: DNSSEC Negative Record Response for ``mail-eu.smtp2go.com``. IN AAAA, Bogus", elapsed = 248ms
This has been fixed a few days ago but not yet released. The issue is that your resolver does not support DNSSEC. To fix it you need to enable DNSSEC in your reseolver or disable DANE in the TLS strategy. Version 0.16.11 will probe DNSSEC support and disable DANE automatically but this is still something you should check if you want DANE support.
It also happens with Cloudflare resolver from the dropdown which supports DNSSEC, no? DANE is configured as optional. It fails at MX AAAA lookup. How is this related to DANE?