diff --git a/modules/mailserver.nix b/modules/mailserver.nix
index 4c79b87..4902d1f 100644
--- a/modules/mailserver.nix
+++ b/modules/mailserver.nix
@@ -1,8 +1,4 @@
-{ config
-, pkgs
-, inputs
-, ...
-}:
+{ config, pkgs, ... }:
 let
   mailPassword =
     { service }:
@@ -26,6 +22,8 @@ in
     fqdn = "mail.clan.lol";
     domains = [ "clan.lol" ];
     enablePop3 = true;
+    # kresd sucks unfortunally (fails when one NS server is not working, instead of trying other ones)
+    localDnsResolver = false;
 
     loginAccounts."golem@clan.lol".hashedPasswordFile =
       config.clanCore.facts.services.golem-mail.secret.golem-password-hash.path;
@@ -33,6 +31,21 @@ in
       config.clanCore.facts.services.gitea-mail.secret.gitea-password-hash.path;
   };
 
+  services.unbound = {
+    enable = true;
+    settings.server = {
+      prefetch = "yes";
+      prefetch-key = true;
+      qname-minimisation = true;
+      # Too many broken dnssec setups even at big companies such as amazon.
+      # Breaks my email setup. Better rely on tls for security.
+      val-permissive-mode = "yes";
+    };
+  };
+
+  # use local unbound as dns resolver
+  networking.nameservers = [ "127.0.0.1" ];
+
   security.acme.acceptTerms = true;
 
   clanCore.facts.services.golem-mail = mailPassword { service = "golem"; };