Qmail can't deliver to DNSSEC protected domains. (Repost from edri.org-ML) Reason: - qmail send an "ANY IN edri.org" query in order to deliver mail. * Due to DNSSEC, there are a some signatures catched by ANY so the response packet size is 605 bytes. - qmail does not support EDNS extensions for larger UDP packets. * The response is truncated to 512 bytes and marked "truncated". - qmail does not support the very old TCP fallback requirement for DNS. - qmail refuses to deliver the mail and logs "CNAME_lookup_failed_temporarily." Overview of packet sizes question | answer size -----------------------|-------------- ANY edri.org | 605 byte MX edri.org | 237 byte A edri.org | 213 byte -----------------------|-------------- ANY edri.org +dnssec | 1331 byte MX edri.org +dnssec | 923 byte A edri.org +dnssec | 731 byte