diff --git a/scripts/60-rspamd-opendkim.sh b/scripts/60-rspamd-opendkim.sh
index 7233d4c..d50e439 100644
--- a/scripts/60-rspamd-opendkim.sh
+++ b/scripts/60-rspamd-opendkim.sh
@@ -186,13 +186,13 @@ EOSH
 chmod 0750 /usr/local/sbin/mailwolt-install-dkim
 chown root:root /usr/local/sbin/mailwolt-install-dkim
 
-# --- mailwolt-remove-dkim -------------------------------------
-cat > /usr/local/sbin/mailwolt-remove-dkim <<'EOSH'
+# --- 2) mailwolt-remove-dkim ----------------------------------
+cat >/usr/local/sbin/mailwolt-remove-dkim <<'EOSH'
 #!/usr/bin/env bash
 set -euo pipefail
 
-DOMAIN="$1"
-SELECTOR="$2"
+DOMAIN="$1"      # z.B. kunden.tld oder sysmail.example.com
+SELECTOR="$2"    # z.B. mwl1
 
 OKDIR="/etc/opendkim"
 KEYDIR="${OKDIR}/keys/${DOMAIN}"
@@ -200,23 +200,41 @@ KEYPRI="${KEYDIR}/${SELECTOR}.private"
 KT="${OKDIR}/KeyTable"
 ST="${OKDIR}/SigningTable"
 
+# Key-Datei löschen (falls vorhanden)
 [[ -f "${KEYPRI}" ]] && rm -f "${KEYPRI}"
 
+# Zeilen aus KeyTable und SigningTable entfernen
 if [[ -f "$KT" ]]; then
-  TMP="$(mktemp)"
-  grep -v -F "${SELECTOR}._domainkey.${DOMAIN}" "$KT" > "$TMP" && mv "$TMP" "$KT"
+  tmp="$(mktemp)"; grep -v -F "${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:" "$KT" >"$tmp" && mv "$tmp" "$KT"
+  chown opendkim:opendkim "$KT"; chmod 0640 "$KT"
 fi
 if [[ -f "$ST" ]]; then
-  TMP="$(mktemp)"
-  grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" > "$TMP" && mv "$TMP" "$ST"
+  tmp="$(mktemp)"; grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" >"$tmp" && mv "$tmp" "$ST"
+  chown opendkim:opendkim "$ST"; chmod 0640 "$ST"
 fi
+
+# Verzeichnis ggf. aufräumen
 rmdir "${KEYDIR}" 2>/dev/null || true
 
-systemctl is-active --quiet opendkim && systemctl reload opendkim || true
+# Dienst neu laden, falls aktiv
+if systemctl is-active --quiet opendkim; then
+  systemctl reload opendkim || true
+fi
+
 echo "OK"
 EOSH
-chmod 0750 /usr/local/sbin/mailwolt-remove-dkim
 chown root:root /usr/local/sbin/mailwolt-remove-dkim
+chmod 0750      /usr/local/sbin/mailwolt-remove-dkim
+
+# --- Sudoers für beide Helper sicherstellen -------------------
+APP_USER="${APP_USER:-mailwolt}"
+cat >/etc/sudoers.d/mailwolt-dkim <<EOF
+Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
+Defaults! /usr/local/sbin/mailwolt-remove-dkim  !requiretty
+${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
+${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
+EOF
+chmod 440 /etc/sudoers.d/mailwolt-dkim
 
 # --- Sudoers-Regel für App-User --------------------------------
 APP_USER="${APP_USER:-mailwolt}"