diff --git a/modules/nixos/mailserver.nix b/modules/nixos/mailserver.nix
index 9ee8b10..767b13f 100644
--- a/modules/nixos/mailserver.nix
+++ b/modules/nixos/mailserver.nix
@@ -2,10 +2,14 @@
   mailserver = {
     enable = true;
     stateVersion = 3;
+
+    # domain bs
     fqdn = "mail.${config.networking.domain}";
     domains = ["${config.networking.domain}"];
     x509.useACMEHost = config.mailserver.fqdn;
+
     loginAccounts = {
+      # test acc
       "test@${config.networking.domain}" = {
         hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
       };
@@ -15,6 +19,13 @@
       };
     };
   };
+
+  # put dkim key into /etc for declarability
+  mailserver.dkimKeyDirectory = "/etc/dkim";
+  environment.etc."dkim/${config.networking.domain}.${config.mailserver.dkimSelector}.key".source =
+    config.age.secrets."dkim-${config.networking.domain}.${config.mailserver.dkimSelector}.key".path;
+
+  # does acme for me
   services.nginx = {
     enable = true;
     virtualHosts = {
@@ -28,9 +39,12 @@
     acceptTerms = true;
     defaults.email = "mtgmonket@gmail.com";
   };
+
+  # persist directories per the backup guidelines
   environment.persistence."/persist" = {
     directories = [
-      "/var/dkim"
+      # not needed bc the dkim dir is declared
+      # "/var/dkim"
       "/var/vmail"
       "/var/lib/redis-rspamd"
       "/var/lib/acme"
diff --git a/pub-keys.nix b/pub-keys.nix
index 1a316eb..1dc9073 100644
--- a/pub-keys.nix
+++ b/pub-keys.nix
@@ -1,10 +1,11 @@
 {
   age.secrets = {
     andromeda-pw.file = ./secrets/andromeda-pw.age;
+    "dkim-galaxious.de.mail.key".file = ./secrets/dkim-galaxious.de.mail.key.age;
     mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
     mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;
     mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age;
-    "mailserver-acc-zulip+admin-pw".file = ./secrets + "/mailserver-acc-zulip+admin-pw.age";
+    "mailserver-acc-zulip+admin-pw".file = "${./secrets}/mailserver-acc-zulip+admin-pw.age";
     zulip-avatarSaltKey.file = ./secrets/zulip-avatarSaltKey.age;
     zulip-camoKey.file = ./secrets/zulip-camoKey.age;
     zulip-extraSecrets-email_password.file = ./secrets/zulip-extraSecrets-email_password.age;
diff --git a/secrets/dkim-galaxious.de.mail.key.age b/secrets/dkim-galaxious.de.mail.key.age
new file mode 100644
index 0000000..91b8019
Binary files /dev/null and b/secrets/dkim-galaxious.de.mail.key.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e4d6d7f..10b449b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,6 +8,9 @@ in {
   "andromeda-pw.age".publicKeys = [andromeda lenovo];
   "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];
 
+  # dkim private keys
+  "dkim-galaxious.de.mail.key.age".publicKeys = [andromeda lenovo _109-199-104-83];
+
   # mail account passwords
   "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
   "mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];