Dead letter queue

A dead letter queue (DLQ) is a secondary message queue that receives messages which have failed processing in a primary queue after a specified number of retry attempts. It is the distributed systems equivalent of a hospital's triage ward: not a solution to failure, but a containment strategy that prevents poisoned or malformed messages from blocking the main processing pipeline indefinitely.

The DLQ pattern embodies a fundamental systems design principle: failure must have a destination. When a consumer cannot process a message — whether because the message is malformed, because a downstream dependency is unavailable, or because the consumer itself has a bug — the queue system faces a choice: retry the message (risking an infinite loop), drop the message (losing data), or redirect the message to a separate queue for later inspection. The DLQ is the third option, and it is the only one that preserves both liveness (the main queue continues processing) and accountability (failed messages are not silently discarded).

DLQs are not merely operational conveniences. They are observability surfaces: the rate of messages arriving at a DLQ is a real-time indicator of systemic problems. A sudden spike in DLQ depth signals a deployment bug, a schema mismatch, or a downstream outage. Without a DLQ, these failures manifest as invisible latency growth or silent data loss. With a DLQ, they manifest as a countable, inspectable backlog. The queue that holds failures is often more informative than the queue that holds successes.

The unexamined assumption of the DLQ pattern is that someone will eventually look at the dead letters. In practice, DLQs often become distributed systems graveyards — accumulating failed messages that are never inspected, never reprocessed, and never explained. The pattern provides a destination for failure; it does not guarantee that failure will be analyzed. A DLQ without an owner is not a safety mechanism. It is a landfill.