diff --git a/scripts/60-rspamd-opendkim.sh b/scripts/60-rspamd-opendkim.sh
index d50e439..670f9df 100644
--- a/scripts/60-rspamd-opendkim.sh
+++ b/scripts/60-rspamd-opendkim.sh
@@ -228,23 +228,15 @@ chmod 0750      /usr/local/sbin/mailwolt-remove-dkim
 
 # --- Sudoers für beide Helper sicherstellen -------------------
 APP_USER="${APP_USER:-mailwolt}"
-cat >/etc/sudoers.d/mailwolt-dkim <<EOF
-Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
-Defaults! /usr/local/sbin/mailwolt-remove-dkim  !requiretty
-${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
-${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
-EOF
-chmod 440 /etc/sudoers.d/mailwolt-dkim
 
-# --- Sudoers-Regel für App-User --------------------------------
-APP_USER="${APP_USER:-mailwolt}"
-cat > /etc/sudoers.d/mailwolt-dkim <<EOF
-Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
-Defaults! /usr/local/sbin/mailwolt-remove-dkim  !requiretty
+cat >/etc/sudoers.d/mailwolt-dkim <<EOF
+Defaults!/usr/local/sbin/mailwolt-install-dkim !requiretty
+Defaults!/usr/local/sbin/mailwolt-remove-dkim  !requiretty
 ${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
 ${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
 EOF
 chmod 440 /etc/sudoers.d/mailwolt-dkim
+visudo -cf /etc/sudoers.d/mailwolt-dkim >/dev/null
 
 # ── Dienst + Postfix-Milter aktivieren ─────────────────────────
 systemctl daemon-reload
diff --git a/scripts/80-app.sh b/scripts/80-app.sh
index f4ec18d..bb9f3cf 100644
--- a/scripts/80-app.sh
+++ b/scripts/80-app.sh
@@ -171,6 +171,17 @@ setfacl -R  -m u:www-data:rwx,u:${APP_USER}:rwx storage bootstrap/cache || true
 setfacl -dR -m u:www-data:rwx,u:${APP_USER}:rwx storage bootstrap/cache || true
 log "[✓] Schreibrechte für Laravel korrigiert."
 
+# --- DKIM: Verzeichnisse & Basisrechte --------------------------------------
+# Laravel-Storage: private/dkim von mailwolt beschreibbar
+install -d -m 0770 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage/app/private"
+install -d -m 0770 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage/app/private/dkim"
+
+# OpenDKIM: keys & dns-Verzeichnis
+install -d -m 0750 -o opendkim -g opendkim /etc/opendkim
+install -d -m 0750 -o opendkim -g opendkim /etc/opendkim/keys
+install -d -m 0755 -o root     -g root     /etc/mailwolt
+install -d -m 0755 -o root     -g root     /etc/mailwolt/dns
+
 # --- Caches leeren, Migrationen ausführen -----------------------------------
 sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear"
 sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan migrate --force"
@@ -180,7 +191,7 @@ if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
   sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan db:seed --class=SystemDomainSeeder --force"
 fi
 
-# --- DKIM für SYSMAIL_DOMAIN via App erzeugen & in OpenDKIM einhängen -------
+# --- DKIM für SYSMAIL_DOMAIN via App erzeugen & per Helper einhängen --------
 DKIM_ENABLE="${DKIM_ENABLE:-1}"
 DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
 SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}"
@@ -188,27 +199,43 @@ SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}"
 if [[ "${DKIM_ENABLE}" = "1" && -n "${SYSMAIL_DOMAIN}" ]]; then
   log "Erzeuge/aktualisiere DKIM für ${SYSMAIL_DOMAIN} (Selector: ${DKIM_SELECTOR}) …"
 
-  TMP_PRIV="$(mktemp /tmp/dkim_priv_XXXXXX.pem)"
-  TMP_TXT="$(mktemp  /tmp/dkim_txt_XXXXXX.txt)"
-  chown "${APP_USER}:${APP_GROUP}" "$TMP_PRIV" "$TMP_TXT"
-  chmod 600 "$TMP_PRIV" "$TMP_TXT"
+  # 1) In der App generieren (als mailwolt), und Pfad + TXT zurückgeben
+  OUT="$(sudo -u "${APP_USER}" -H bash -lc "
+    set -e
+    cd '${APP_DIR}'
+    php -r '
+      require \"vendor/autoload.php\";
+      \$app=require \"bootstrap/app.php\";
+      \$app->make(Illuminate\\Contracts\\Console\\Kernel::class)->bootstrap();
+      \$d = App\\Models\\Domain::firstOrCreate([\"domain\"=>\"${SYSMAIL_DOMAIN}\"],[\"is_active\"=>1,\"is_system\"=>1]);
+      \$r = app(App\\Services\\DkimService::class)->generateForDomain(\$d, 2048, \"${DKIM_SELECTOR}\");
+      echo \$r[\"priv_path\"], \"\\n\";
+      echo \$r[\"dns_txt\"],  \"\\n\";
+    '
+  ")"
 
-  sudo -u "${APP_USER}" -H bash -lc "cd ${APP_DIR} && php -r '
-    require \"vendor/autoload.php\";
-    \$app = require \"bootstrap/app.php\";
-    \$kernel = \$app->make(Illuminate\\Contracts\\Console\\Kernel::class); \$kernel->bootstrap();
-    \$domain = App\\Models\\Domain::firstOrCreate([\"domain\"=>\"${SYSMAIL_DOMAIN}\"],[\"is_active\"=>1,\"is_system\"=>1]);
-    \$svc    = app(App\\Services\\DkimService::class);
-    \$res    = \$svc->generateForDomain(\$domain, 2048, \"${DKIM_SELECTOR}\");
-    file_put_contents(\"${TMP_PRIV}\", \$res[\"private_pem\"]);
-    file_put_contents(\"${TMP_TXT}\",  \$res[\"dns_txt\"]);
-    echo \"OK\\n\";
-  '"
+  PRIV_PATH="$(printf '%s\n' "$OUT" | sed -n '1p')"
+  DNS_TXT="$(printf '%s\n' "$OUT" | sed -n '2,$p')"
 
-  if [[ -x /usr/local/sbin/mailwolt-install-dkim ]]; then
-    sudo /usr/local/sbin/mailwolt-install-dkim "${SYSMAIL_DOMAIN}" "${DKIM_SELECTOR}" "${TMP_PRIV}" "${TMP_TXT}" || true
+  if [[ -z "$PRIV_PATH" || ! -s "$PRIV_PATH" ]]; then
+    echo "[!] DKIM priv_path fehlt oder Datei leer: $PRIV_PATH" >&2
+    exit 1
   fi
-  rm -f "${TMP_PRIV}" "${TMP_TXT}" || true
+
+  TMP_TXT="$(mktemp /tmp/dkim_txt_XXXXXX.txt)"
+  printf '%s' "$DNS_TXT" >"$TMP_TXT"
+
+  # 2) Root-Helper ausführen (hängt Key ein, pflegt Key/SigningTable, kopiert TXT)
+  if [[ -x /usr/local/sbin/mailwolt-install-dkim ]]; then
+    /usr/local/sbin/mailwolt-install-dkim "${SYSMAIL_DOMAIN}" "${DKIM_SELECTOR}" "${PRIV_PATH}" "${TMP_TXT}"
+  else
+    echo "[!] Helper /usr/local/sbin/mailwolt-install-dkim fehlt oder ist nicht ausführbar." >&2
+  fi
+
+  rm -f "$TMP_TXT" || true
+
+  # 3) OpenDKIM neu laden
+  systemctl reload opendkim || systemctl restart opendkim || true
 else
   log "DKIM übersprungen (DKIM_ENABLE=${DKIM_ENABLE}, SYSMAIL_DOMAIN='${SYSMAIL_DOMAIN}')."
 fi