diff --git a/scripts/10-provision.sh b/scripts/10-provision.sh
index 05f4ded..3bd7c0c 100644
--- a/scripts/10-provision.sh
+++ b/scripts/10-provision.sh
@@ -31,8 +31,16 @@ install -d -m 0755 -o root -g root /var/www
 install -d -m 0775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR"
 
 SUDOERS_DKIM="/etc/sudoers.d/mailwolt-dkim"
-cat > "${SUDOERS_DKIM}" <<EOF
-${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim *
+cat > "${SUDOERS_DKIM}" <<'EOF'
+# mailwolt darf diese Kommandos ohne Passwort ausführen (für DKIM-Setup)
+Defaults:mailwolt !requiretty
+
+# DKIM-Helfer (mit beliebigen Argumenten)
+mailwolt ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim *
+mailwolt ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim *
+
+# OpenDKIM neu laden
+mailwolt ALL=(root) NOPASSWD: /bin/systemctl reload opendkim
 EOF
 chown root:root "${SUDOERS_DKIM}"
 chmod 440 "${SUDOERS_DKIM}"