diff --git a/modules/nixos/mailserver.nix b/modules/nixos/mailserver.nix
index 767b13f..ada51f4 100644
--- a/modules/nixos/mailserver.nix
+++ b/modules/nixos/mailserver.nix
@@ -22,8 +22,12 @@
 
   # put dkim key into /etc for declarability
   mailserver.dkimKeyDirectory = "/etc/dkim";
-  environment.etc."dkim/${config.networking.domain}.${config.mailserver.dkimSelector}.key".source =
-    config.age.secrets."dkim-${config.networking.domain}.${config.mailserver.dkimSelector}.key".path;
+  environment.etc."dkim/${config.networking.domain}.${config.mailserver.dkimSelector}.key" = {
+    source = config.age.secrets."dkim-${config.networking.domain}.${config.mailserver.dkimSelector}.key".path;
+    mode = "600";
+    user = config.services.rspamd.user;
+    group = config.services.rspamd.group;
+  };
 
   # does acme for me
   services.nginx = {