diff --git a/postfix/tasks/dkim.yml b/postfix/tasks/dkim.yml
new file mode 100644
index 0000000000000000000000000000000000000000..50f2fba933c44a2d17cdcd823d55aa5a6a4db827
--- /dev/null
+++ b/postfix/tasks/dkim.yml
@@ -0,0 +1,55 @@
+---
+
+- name: ensure we have opendkim
+ apt:
+ name:
+ - opendkim
+ - opendkim-tools
+ state: present
+
+
+- name: ensure we have keys for any domain
+ command:
+ cmd: "opendkim-genkey --directory=/etc/dkimkeys --domain={{ item }} --selector={{ item }}-{{ dkim_selector }} --nosubdomains"
+ creates:
+ - "/etc/dkimkeys/{{ item }}-{{ dkim_selector }}.private"
+ - "/etc/dkimkeys/{{ item }}-{{ dkim_selector }}.txt"
+ become: yes
+ become_user: opendkim
+ loop: "{{ postfix_domains + postfix_virtual_domains }}"
+
+
+- name: ensure we have a folder for systemd overrides
+ file:
+ state: directory
+ path: "/etc/systemd/system/opendkim.service.d/"
+ mode: '0755'
+ owner: root
+ group: root
+
+- name: ensure we run the service without root
+ copy:
+ src: "opendkim-systemd-service-override.conf"
+ dest: "/etc/systemd/system/opendkim.service.d/override.conf"
+
+
+- name: ensure we have our config
+ template:
+ src: "opendkim.conf.j2"
+ dest: "/etc/opendkim.conf"
+ owner: root
+ group: root
+ mode: '0644'
+
+
+- name: ensure we have the key table
+ template:
+ src: "opendkim-{{ item }}.j2"
+ dest: "/etc/dkimkeys/{{ item }}"
+ owner: root
+ group: root
+ mode: '0644'
+ loop:
+ - "keytable"
+ - "signingtable"
+ - "trustedhosts"
diff --git a/postfix/templates/opendkim.conf.j2 b/postfix/templates/opendkim.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..4d53e4bf3ad3792ff22a88ba6f56d30d7957f64e
--- /dev/null
+++ b/postfix/templates/opendkim.conf.j2
@@ -0,0 +1,52 @@
+# This is a basic configuration for signing and verifying. It can easily be
+# adapted to suit a basic installation. See opendkim.conf(5) and
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
+# documentation of available configuration parameters.
+
+Syslog yes
+SyslogSuccess yes
+#LogWhy no
+
+# Common signing and verification parameters. In Debian, the "From" header is
+# oversigned, because it is often the identity key used by reputation systems
+# and thus somewhat security sensitive.
+Canonicalization relaxed/simple
+#Mode sv
+#SubDomains no
+OversignHeaders From
+
+
+# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
+# using a local socket with MTAs that access the socket as a non-privileged
+# user (for example, Postfix). You may need to add user "postfix" to group
+# "opendkim" in that case.
+UserID opendkim
+UMask 007
+
+# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
+# it must be ensured that the socket is accessible. In Debian, Postfix runs in
+# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
+# configured as shown on the last line below.
+Socket local:/run/opendkim/opendkim.sock
+#Socket inet:8891@localhost
+#Socket inet:8891
+#Socket local:/var/spool/postfix/opendkim/opendkim.sock
+
+PidFile /run/opendkim/opendkim.pid
+
+# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
+# OPERATION section of opendkim(8) for more information.
+#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
+
+# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
+# by the package dns-root-data.
+TrustAnchorFile /usr/share/dns/root.key
+#Nameservers 127.0.0.1
+
+
+# Specify the list of keys
+KeyTable file:/etc/dkimkeys/keytable
+# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
+SigningTable refile:/etc/dkimkeys/signingtable
+# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
+InternalHosts refile:/etc/dkimkeys/trustedhosts