diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 7cd3a56b..4c48fcc4 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -35,6 +35,7 @@ DEFAULT_CONFIG = {
     'WILDCARD_SENDERS': '',
     'TLS_FLAVOR': 'cert',
     'INBOUND_TLS_ENFORCE': False,
+    'DEFER_ON_TLS_ERROR': True,
     'AUTH_RATELIMIT': '1000/minute;10000/hour',
     'AUTH_RATELIMIT_SUBNET': False,
     'DISABLE_STATISTICS': False,
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 914638fa..2313a1e6 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -54,8 +54,10 @@ def has_dane_record(domain, timeout=5):
                     if record.usage in [2,3]: # postfix wants DANE-only
                         return True
     except dns.resolver.NoNameservers:
-        # this could be an attack / a failed DNSSEC lookup
-        return True
+        # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled
+        # we will receive this non-specific exception. The safe behaviour is to
+        # accept to defer the email.
+        return app.config['DEFER_ON_TLS_ERROR']
     except:
         pass