diff --git a/files/coredns/zones/noisebridge.com b/files/coredns/zones/noisebridge.com
index 0725ceb1..d34875a9 100644
--- a/files/coredns/zones/noisebridge.com
+++ b/files/coredns/zones/noisebridge.com
@@ -4,19 +4,22 @@
 $TTL 3600
 
 noisebridge.com.        IN      SOA     ns.noisebridge.net. hostmaster.noisebridge.com.  (
-                                2018030600 ; Serial
+                                2020022200 ; Serial
                                 3600 ; Refresh
                                 300 ; Retry
                                 604800 ; Expire
                                 300 ) ; Minimum
 
 ; name server records
-@               IN      NS      ns.noisebridge.net.
-@               IN      NS      dns.hexapodia.org.
+@               IN      NS      ns1.noisebridge.net.
+@               IN      NS      ns2.noisebridge.net.
 
 ; hostnameless access
 @       300     IN      A       216.252.162.220
 @       300     IN      AAAA    2602:ff06:725:5:dc::1337
 
+; SPF
+@       86400   IN      TXT     "v=spf1 redirect=spf.noisebridge.net"
+
 ; aliases
 www     300     IN      CNAME   m3.noisebridge.net.
diff --git a/files/coredns/zones/noisebridge.net b/files/coredns/zones/noisebridge.net
index 11a7d97e..d3711f8c 100644
--- a/files/coredns/zones/noisebridge.net
+++ b/files/coredns/zones/noisebridge.net
@@ -4,7 +4,7 @@
 $TTL 3600
 
 noisebridge.net.        IN      SOA     ns1.noisebridge.net. hostmaster.noisebridge.net.  (
-                                2019061900 ; Serial
+                                2020022200 ; Serial
                                 3600 ; Refresh
                                 300 ; Retry
                                 604800 ; Expire
@@ -18,6 +18,16 @@ noisebridge.net.        IN      SOA     ns1.noisebridge.net. hostmaster.noisebri
 @       300     IN      A       216.252.162.220
 @       300     IN      AAAA    2602:ff06:725:5:dc::1337
 
+; SPF
+@       86400   IN      TXT     "v=spf1 redirect=spf.noisebridge.net"
+spf     86400   IN      TXT     "v=spf1 mx a:lists.noisebridge.net a:m3.noisebridge.net a:m4.noisebridge.net a:m5.noiesbridge.net a:m6.noisebridge.net ~all"
+
+; DKIM key mail for noisebridge.net
+mail._domainkey IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; t=y; "
+          "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwQ/A9wWjtaZlyqJOkmFLZd/eFzqWotOJ7AScqa9IAyUk1SH9TYZWPXfR0IHGMhswXfT0VZhopTKusPu09V385k6DMYmBys4QJaOgHCKZ5/13EUYR2M3WArAZbudzXzy6uZBh+FFuv5BuPVRd7elVeqDK0ZBHX90kpV8f1mAQANRBRSYJ0RctwcJzq88iRvGi2Csxemuk1VTXRC"
+          "UEWzpJOZL1oG80KhOfHRkFUdsgY+SYmQMKjaDMThCDLvh6718tbssSfUI8YPKbsGlNNleXpoIZZ4MCJ0TfbRTXmSqOyHh6XTLGPIVI2qajqiLEcBj0biwO0TF0bV7pLodlRfWZRiaRp3ATMBiDY/Zo68RlmuxqOrxrweN/JMS0kALoVAs3vVFhrH2CTu9zwZf5blVUfvs80+CxWorQOdV7Vjp1K+6JukH0vuMCK72L4W7AGbK76QQFKcG1"
+          "CS+EEgiBMBr98i64wKPeqPpGT6Bj5AKR14oPYRFwW0JbZGMpwX+FOmqT9X8BfnhH7b2Y7q25y/r94OdvmBxyabZBu4S+BaYRFN04B6+LpzPgD5YfVn3BMVoBlctjL6NIHhacRnnGsQRkrqTB43slGpM40gDUe1+3R3NpkHl3p59q/6RPafX9fwi9Vcvp+oxjFNXqaAdXdOr04zUbmJcgzzbOF9u2rtqcBI8CAwEAAQ==" )
+
 ; name servers
 ns      86400   IN      A       216.252.162.220 ; m3 in iocoop SCL
 ns      86400   IN      AAAA    2602:ff06:725:5:dc::1337 ; m3 in iocoop SCL
@@ -32,6 +42,7 @@ noisebridge.net.        300     IN      MX      10 m3.noisebridge.net.
 ; aliases
 www     300     IN      CNAME   m3.noisebridge.net.
 lists   300     IN      CNAME   m3.noisebridge.net.
+lists   86400   IN      TXT     "v=spf1 redirect=spf.noisebridge.net"
 
 ; Primary hosting servers.
 m2              IN      A       204.246.122.84 ; Old iocoop MSP VPS
diff --git a/files/coredns/zones/noisebridge.org b/files/coredns/zones/noisebridge.org
index 1a3ae1ad..01fc8af0 100644
--- a/files/coredns/zones/noisebridge.org
+++ b/files/coredns/zones/noisebridge.org
@@ -4,19 +4,22 @@
 $TTL 3600
 
 noisebridge.org.        IN      SOA     ns.noisebridge.net. hostmaster.noisebridge.org.  (
-                                2018030600 ; Serial
+                                2020022200 ; Serial
                                 3600 ; Refresh
                                 300 ; Retry
                                 604800 ; Expire
                                 300 ) ; Minimum
 
 ; name server records
-@               IN      NS      ns.noisebridge.net.
-@               IN      NS      dns.hexapodia.org.
+@               IN      NS      ns1.noisebridge.net.
+@               IN      NS      ns2.noisebridge.net.
 
 ; hostnameless access
 @       300     IN      A       216.252.162.220
 @       300     IN      AAAA    2602:ff06:725:5:dc::1337
 
+; SPF
+@       86400   IN      TXT     "v=spf1 redirect=spf.noisebridge.net"
+
 ; aliases
 www     300     IN      CNAME   m3.noisebridge.net.
diff --git a/files/postfix/dkim.key b/files/postfix/dkim.key
new file mode 100644
index 00000000..d7a41559
--- /dev/null
+++ b/files/postfix/dkim.key
@@ -0,0 +1,167 @@
+$ANSIBLE_VAULT;1.1;AES256
+36363834333335363130386462323438396665633865396534623330396533373336386164646430
+3764306432313638366465613834326634656138636436610a343861346533303032363935366239
+32343639626561346534316135353562663465333936613166333266653938326438366334636530
+6635366363393964340a303661633933646439323761323662303766626366623631366535316438
+64623337343631613361663937613262353263356336386465356432333235353564353930356431
+63386332316265623565663834376130626636666533353032623839623930323538313635323435
+61393136306335343739633232346363363032643833346561663335353532383333656366666635
+39626338653630306164303036353933643930373834313134623539653731383563313530346264
+30343734653430346230386630363030336264333462663462643436363239363339653465663733
+32646631663431386232623137356635623232613730373837646364303066663138343239306465
+64646331366563656663653866346264643663613331396136383438356337343133363834326136
+35653836653763326231643437383066626438386461313162373064653532393234623731623336
+62356362346537333538616532353339303161333231653363326663636663633638613435383264
+64383364366533626261373731313361626562666230383536633233316637616361623562306261
+30353263653730366533613839316337636339313936616566343635303463383663373162363035
+35366434626136396332326436316632366634643036613366376566363265346433316363323637
+65393063633861636561373634613438636534356634336130646264306330343232373264663961
+66376533316335623963343366663731303935313638363364356465333361366665643163353932
+62663137613830343532633462373664383033643539326330366332363462393863336632323939
+34383563656432643765653766313166386566656338643735636266326135643730336363323030
+33383535643262646561663661336331343539613036633539393439346130643663643663373930
+65383239653865326337663066323666363063653962306637373039613335613432396262313334
+61353637393632313030666565623631626331656238373830646537653561323562303236636530
+39383766626133356465373865623164303937353762633464353938643938393132386530636466
+34623631363364356637373432303330633230613830623938353366386430303431663635313965
+33356235356661616461373233346439613338313534626361343566316638353761303831653866
+39383161343065663332326636623062316162333433353934643061396331353233346666393034
+30306331303862333333303265393737656136306437373732303337373937353865656535316166
+32643331303032663135646234306332393730633438633165653261616166383536343336363531
+35333263353731313432303335333033613363396663313530656164336135336531333163386339
+66613036633739316434386166313334343731623934633338333761353363633661326164643632
+34623736646566336131363032306561373164653737356335393132613733353963356130303466
+34303037333030626136386564636434656666626439633533333036303362636236316538363863
+62626435633630363361666233353534656136316236636636653732363733316134623332373832
+62623365393130306664636561396334663363323335326131393265303237313064613032393236
+35663737623262393937656630623066373939376234356331633931656536353837356461323863
+64376230326666383137656664316434613262356665376536643938646163363439303462316533
+37613936383633313361666334366432306434313162326262626536353561646533643439663332
+35316430616266363134383563373132623031383433616138353464643063646462363164353763
+31633433363261653036613038346463303761626163323662363463353332343764613665666537
+34323661306438353031656437613164646635333435356266616634663134663331323831666133
+31326633343030346431333762343162623934643135323765326339363839373763333231313037
+31333734366163383135623661336431663236633639306665613564663935643461623162383832
+63616466303036373039303132616338653934343137656638656332363261633666313265356537
+30633665373462666133613430373132353236663035353838303933616666303563343230636661
+64346137323232313236356662313563343834666137313334376232363463663232373838393735
+37393635633336386635353337336333346564646266633239386664633937333565643862353031
+64666362306337313138346166373235663061303236323262313037373864383261333361323030
+63323732353736623664313262323462623639366663646633626339353030636433333661356364
+61393438343065613662636331383861393662363462663564643638326635303736363061343866
+62666163666536663963616639363531626664373064343933636439646465313038363737333632
+63313937666663656437366364303139386363373235643761343430373233643866343239383934
+33366662333235323831653134396163613935303934303839633661383965393931356638323631
+31633339373966656361363866386161616336663064383435343733313936306662393135666430
+61376133323630313033646439363435646461393338316361633863306435623662383238353835
+33616135316632306236346534383737313666313939383536393736356165646264616334303364
+39663033323031646638343765376366323935646136336361383261336131393863383966373963
+32626638386134386463303139663466636537333263663165653036613136316433373165613865
+63643761383163653339626436336161653732373861356532366230306363633634653139313864
+36623662363331643230323162633237313634343930636430313137356665346661323038353432
+66323266383930393539383663386661613139353539353636316466393065343735343361643237
+63653837616531346139636333623362386638343562303064396637663361316633343064383662
+65393934636464646566643037666161643233373961323234343330333962663163346138393133
+63363434383063366536386436373730303464626363636566643833653035613066313162363333
+61646537356434323033323530356135333830646533353438376439313761626532316363353237
+65313230396461356463343034326133333261366431633134643430393639633930346336656237
+39643232323762613635303838393130353864626138323936326563323533313966656139643738
+32306335303066666463336138643361666536336630616536386232393533623538663765633333
+65303363636531333838336564383737633039333631306138666632393339623133636162393239
+66316430386564393265356461313938613037343533363364633538666363316532376633643135
+64623063323537323633633331386539316639356361666364306164616665333462353335643836
+35383332373665303035323866626163343066363337303962616266313232333234363333653434
+32656136623266336464633830616234303865343830376364613631616537323039663164363730
+36643765323235363733383461343237626265623064353239303137663962636562326239326636
+33356261626132383635666661656266336436373863336365643332306231363736333964303735
+65663837343236633163626463623637396464323462303031346137313637626233616661346430
+32353764393737393937323630366465643435633031303238316339353933663666633365333966
+64633335613062356464646161623631643864363561376335303934653864366230653633303566
+31653865343037346333366463396633643231656530326262333363343637643936316130323463
+38313366376337643138383362316634613731663466353634313934666565386535363932633336
+38613462326334363333326638383839656539663965643133303063363664666536393939633336
+64376131653330353661356333313332623231336164666465656130613734656330663733306433
+63373933306264613564333534313966613239666436323934613662383630616236663333333730
+38303562326161613238346663623237316265666430616231303332366635636462303462313462
+34336432396237616563386236643461323735626439646565393234343361303166313766326531
+30323139353438353465316462303730376231363238356333616230653534636239353036616531
+30633065383532303561323966353936386638633136323662316335313335333439366561393439
+35653266623339613639653638356131303263316463636337616131353437396535633237353633
+36666464626538323934616562643032366163386537323832613565623432373966343738383332
+66356335613733383537646163313335356461656465653631393761613430383638613535643466
+66323732393464346534666461653964343562333735653361313935313463376338353431613433
+37636261333937363337626332343439636635336332363632346231633930656435326566303965
+66663563623835393932383335656433643564393265663930316363393330626538626138623762
+30333163303531663932343263386532646461616161323531373339623939393331343032626133
+63346632656266653537366163656262373934616436386138646164393565353338316565323434
+66393561633532363730656332633365623532323265656364313365353238663138346537616261
+38326435653134356661663262303465666366306564643137633063356430303962313638303962
+30303266656230333934656630646166643065313733633438393436396362636530353666633032
+39313436663731343934353938376233636233343132666330636638383735643163653638386138
+66333833393562323838303231636139613862353830356361663134646132653739653330653737
+34633465366538643238333038656230386135396334333033616238616335656331326131383037
+62386563363839383932396639363639346530323930643438333338636461646633313233666432
+61346238343437623964323032383236646133356465333239353136656232613538623236636333
+62663665636366626366326431336363646538623366376362303665616364353739383762636339
+35623133646432316662353562346362373833323432616365303866376465316661643166366366
+65623864323361313664643461396634356566626661643366616361303166393935393536333962
+64613536393630396430633838386135633466333862643465383132373061653338393962333333
+34333637316164346334613135306534363765363436383163363365366264613565393462303266
+35666130396331333233353165663563306236343531663539653735376137376564343933663830
+38343765306166376138353736313936366262613963663538366462346636336436613661326265
+35356430623136613664633664626235623164303263633333376464343431373530663933326534
+61343862393463323964613336656334663262383366666564343139363163613933626233336432
+65343534336666623562616265376531343434636338636535326132316539383134613332393535
+33633930346438646132313239656535383730663964633631313530666238386633633563333635
+31373638616365306138326661393337383334396163386136393239316633333134666466306338
+37363564306366393439643562313436323963636632623539383135633530613438343566383665
+64633163616466353964636238653030346562336366363532303565373938353435633766616333
+62393633666138623834313939663065646132643764343232373663323836393962656661646333
+38363733323436333765656630393364396464343635643066653238353033626262633034643231
+30366638373031306465376436386261306635356464646338613130636634346339343437623534
+39356139323966326264373838376661373065633432306634633532353566663466343633613834
+34323438353238306666393735636334653266303030653566363365306665636433626235666461
+65383663313434393132643838363539333435393763356633363836323666333533376335346134
+36343034376135633063303962623935616536373239306331613035303661383761396265663736
+64386662633431363134336265643463383062373330313266643436386334363466333038663461
+63383834653132363663393035626430366130633634316439366365646464323434623333303730
+66316638623536616366663337383235363432306632346465303863313763646465323034323036
+62323638323930356362373339333637643565623735353637343065336131663363633933613936
+66336232333733313865323962313334643834333564613864316133626461353665393935386438
+65623166303165333733653239393233393230653534346533333164303032666639386230653066
+37386562393362313435323864623930613030366138353439306231396437303638383465333664
+38626365386563613834386534373437323663326137646236343633653439306137613165393864
+32653338306230633564653462323264376138623763653737623331396531393438636537396666
+64366164356465663161626663646538653831353530653336613331643863316130313361633730
+34613137633761636161623239653932383135373435303338393234353337343465383863646132
+34653562343564616630393839363931356363316333663830633331633230363266336665343737
+32653939663635646133373361613065656665616632313637303338323961363731636361396135
+30633034366639663665663261663430643635656134353538333135626163376462343661313565
+33626266386130633164353264306539333030363231656631373231363832353062303131373738
+65393732336566336435366330303633386336646561323661393631303137633166363533663436
+34323534393139343331623364653836613937303636323832356465303666663865313439333534
+39303435643233613035336364613039663839633636613666356438613935333138313266343633
+36666136373631313734326264656635353336306562363563343439333037663737303138356536
+66326665316232396232376334383866356337626132363732363530323437633235376162393038
+38343532333831336532363037636262373937356238336134356139343266396639656137323636
+66643236356138333131363239303836383165396435643535663964353930346133653837616239
+63363862633063623166613234336266316166656462303335333832323637626362333732666166
+65663633306565653931346564343263623936626633376163373437346563373664383430613164
+31633762613731326232323034346165366234376335343136393366373865663639383262393265
+34633831663836666633393138626133343834306338613964303664366333306335363765343935
+34633231303633396364306363346664653038616464363737396635376562383966323561626464
+37343435633531383534323566383538653738393739383037613163346663393037653765346330
+31333630366465393031393334386261363539653262663963393265363861363434363033653332
+35333137303837663233326261653434633834326262663665306431363761316136363036376466
+30303064633062333639626662383535323736643333353962633162386639346132626436373663
+66323730316531356531613234313232306130653238313232366233386634383832363631326537
+33323363393739646639323537616231313937363166393634653734373737653931623865373137
+30323439313364396438646161303063316263346538306135316534353634303730363038653533
+34643433353534353439303630633637306438663134616566353637383861356237333765303661
+36336234393465306661366666333636383563616532633032396361343735316662373636343534
+30633234363336666639653561623034663966623831616336343839333563323432653862656538
+33646363303662626166646162386566343538353766653862346665323761373636326632303134
+38663033646238663362303963333533626663343661623333343633633765666536366463363931
+35633130333937633964333462356536633561623562336231336131353537313432373931653964
+65396633313137643265646266633133303130323366643733393462346564386239316138326331
+3866343132363136353862636232343635653834323635623261
diff --git a/roles/coredns/defaults/main.yml b/roles/coredns/defaults/main.yml
index 113ce170..f3ac8406 100644
--- a/roles/coredns/defaults/main.yml
+++ b/roles/coredns/defaults/main.yml
@@ -2,7 +2,7 @@ coredns_user: coredns
 coredns_port: 53
 
 coredns_path: /srv/coredns
-coredns_version: "1.5.0"
+coredns_version: "1.6.7"
 coredns_download_url: https://github.com/coredns/coredns/releases/download
 
 coredns_config: |
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
index d5ed0fd4..42a36fcc 100644
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@@ -1,9 +1,18 @@
 ---
+- name: restart opendkim
+  systemd:
+    name: opendkim
+    state: restarted
+
 - name: restart postfix
-  service: name=postfix state=restarted
+  systemd:
+    name: postfix
+    state: restarted
 
 - name: restart postgrey
-  service: name=postgrey state=restarted
+  systemd:
+    name: postgrey
+    state: restarted
 
 - name: reload-aliases
   command: /usr/bin/newaliases
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
index 6e7c8f2e..e1a33d79 100644
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -8,6 +8,8 @@
     - postfix-pcre
     - postgrey
     - procmail
+    - opendkim
+    - opendkim-tools
   tags:
     - postfix
     - mail
@@ -93,6 +95,50 @@
   notify:
     - restart postfix
 
+- name: setup opendkim postfix socket dir
+  file:
+    path: /var/spool/postfix/opendkim
+    state: directory
+    owner: opendkim
+    group: postfix
+    mode: 0755
+
+- name: copy dkim key
+  copy:
+    src: postfix/dkim.key
+    dest: /etc/dkimkeys/dkim.key
+    owner: opendkim
+    group: opendkim
+    mode: 0400
+  notify:
+    - restart opendkim
+
+- name: install opendkim configuration
+  template:
+    src: opendkim.conf.j2
+    dest: /etc/opendkim.conf
+    owner: root
+    group: root
+  notify:
+    - restart opendkim
+
+- name: install opendkim defaults
+  template:
+    src: opendkim-default.j2
+    dest: /etc/default/opendkim
+    owner: root
+    group: root
+  notify:
+    - restart opendkim
+
+- name: add postfix user to opedkim group
+  user:
+    name: postfix
+    groups: opendkim
+    append: yes
+  notify:
+    - restart postfix
+
 - name: configure secure submission port
   replace:
     regexp: "^#submission .*"
diff --git a/roles/postfix/templates/main.cf b/roles/postfix/templates/main.cf
index 6931225d..d33e0990 100644
--- a/roles/postfix/templates/main.cf
+++ b/roles/postfix/templates/main.cf
@@ -1,3 +1,4 @@
+{{ ansible_managed | comment }}
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
 # Debian specific:  Specifying a file name will cause the first
@@ -19,16 +20,22 @@ readme_directory = no
 # TLS parameters
 # smtpd_tls_cert_file=/etc/postfix/noisebridge.net-cert.pem
 # smtpd_tls_key_file=/etc/postfix/noisebridge.net-key.pem
+smtpd_use_tls = yes
 smtpd_tls_cert_file=/etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org/sites/noisebridge.net/noisebridge.net.crt
 smtpd_tls_key_file=/etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org/sites/noisebridge.net/noisebridge.net.key
 smtpd_tls_ciphers = high
-smtpd_use_tls=yes
-smtpd_tls_exclude_ciphers = aNULL, MD5, DES, RC4-SHA, AES256-SHA, AES128-SHA
-smtp_tls_protocols = !SSLv2, !SSLv3
-smtpd_tls_mandatory_protocols = TLSv1
-smtp_tls_note_starttls_offer = yes
+smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
+smtpd_tls_security_level = may
 smtpd_tls_received_header = yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtpd_tls_loglevel = 1
+smtp_tls_security_level = may
+smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
+smtp_tls_note_starttls_offer = yes
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
@@ -88,3 +95,9 @@ message_size_limit = 100000000
 
 # SuperQ (2013-03-20): Reduce default process pools from default of 100
 default_process_limit = 50
+
+# DKIM setup
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = local:opendkim/opendkim.sock
+non_smtpd_milters = local:opendkim/opendkim.sock
diff --git a/roles/postfix/templates/opendkim-default.j2 b/roles/postfix/templates/opendkim-default.j2
new file mode 100644
index 00000000..5ac53e7d
--- /dev/null
+++ b/roles/postfix/templates/opendkim-default.j2
@@ -0,0 +1,23 @@
+{{ ansible_managed | comment }}
+# Command-line options specified here will override the contents of
+# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
+#DAEMON_OPTS=""
+# Change to /var/spool/postfix/var/run/opendkim to use a Unix socket with
+# postfix in a chroot:
+#RUNDIR=/var/spool/postfix/var/run/opendkim
+RUNDIR=/var/run/opendkim
+#
+# Uncomment to specify an alternate socket
+# Note that setting this will override any Socket value in opendkim.conf
+# default:
+SOCKET=local:/var/spool/postfix/opendkim/opendkim.sock
+# listen on all interfaces on port 54321:
+#SOCKET=inet:54321
+# listen on loopback on port 12345:
+#SOCKET=inet:12345@localhost
+# listen on 192.0.2.1 on port 12345:
+#SOCKET=inet:12345@192.0.2.1
+USER=opendkim
+GROUP=opendkim
+PIDFILE=$RUNDIR/$NAME.pid
+EXTRAAFTER=
diff --git a/roles/postfix/templates/opendkim.conf.j2 b/roles/postfix/templates/opendkim.conf.j2
new file mode 100644
index 00000000..5cdd00fd
--- /dev/null
+++ b/roles/postfix/templates/opendkim.conf.j2
@@ -0,0 +1,81 @@
+{{ ansible_managed | comment }}
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog yes
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask 007
+
+# Sign for example.com with key in /etc/dkimkeys/dkim.key using
+# selector '2007' (e.g. 2007._domainkey.example.com)
+Domain *
+KeyFile /etc/dkimkeys/dkim.key
+Selector mail
+
+# Commonly-used options; the commented-out versions show the defaults.
+#Canonicalization simple
+#Mode sv
+#SubDomains no
+
+# Socket smtp://localhost
+#
+# ##  Socket socketspec
+# ##
+# ##  Names the socket where this filter should listen for milter connections
+# ##  from the MTA.  Required.  Should be in one of these forms:
+# ##
+# ##  inet:port@address           to listen on a specific interface
+# ##  inet:port                   to listen on all interfaces
+# ##  local:/path/to/socket       to listen on a UNIX domain socket
+#
+#Socket                  inet:8892@localhost
+Socket local:/var/spool/postfix/opendkim/opendkim.sock
+
+##  PidFile filename
+###      default (none)
+###
+###  Name of the file where the filter should write its pid before beginning
+###  normal operations.
+#
+PidFile /var/run/opendkim/opendkim.pid
+
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders From
+
+##  ResolverConfiguration filename
+##      default (none)
+##
+##  Specifies a configuration file to be passed to the Unbound library that
+##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
+##  documentation at http://unbound.net for the expected content of this file.
+##  The results of using this and the TrustAnchorFile setting at the same
+##  time are undefined.
+##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
+##  unbound package
+
+# ResolverConfiguration     /etc/unbound/unbound.conf
+
+##  TrustAnchorFile filename
+##      default (none)
+##
+## Specifies a file from which trust anchor data should be read when doing
+## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
+## at http://unbound.net for the expected format of this file.
+
+TrustAnchorFile       /usr/share/dns/root.key
+
+##  Userid userid
+###      default (none)
+###
+###  Change to user "userid" before starting normal operation?  May include
+###  a group ID as well, separated from the userid by a colon.
+#
+UserID                opendkim