DKIM does not actually work

[prj]

Following the tutorial it is impossible to set up DKIM.
It works only as long as you let it re-generate it every time, which makes it completely useless, as all e-mails fail DKIM unless you update your domain every single time you restart the server!

The moment you try to send something via SMTP, you get the following error:
mail-forwarder | Dec 11 14:06:08 56cddd08332c opendkim[953]: default._domainkey.xxxx.com' key data is not secure:
mail-forwarder | Dec 11 14:06:08 56cddd08332c opendkim[953]: 5339536064D: error loading key 'default._domainkey.xxxx.com'

I can only surmise that this happens when you are mounting the volume on the host, that some permissions do not match.
If I just let it as-is, then I get this error, if I try to constrain the users, then I get a permission denied error.

In my case the toplevel is owned by root, txt owned by root, key owned by "systemd-network:systemd-journal".
Permissions are 0600 on the files.

Not only does this break DKIM, it is impossible to send any e-mail at all, it errors out on the the first e-mail and then just times out.

[prj]

I managed to work around the issue by mounting /etc/opendkim as a volume, and then adding:
RequireSafekeys False
I still get the unsafe error, but at least e-mail sending works.

Also, while mounting it, the generated file was truncated/wrong somehow (half the file missing), so I had to manually pull it out of the docker container through a shell.

[thexperiments]

Had the same issue, looks like it checks the rights not just on the key files but also on the folders.
I did this to fix it for me in the directory mounted to the container from the host:

chown 100:101 -R /folder/you/mounted

This makes sure all files and folders in the directory are owned by 100:101 which should map to user opendkim and group opendkim in the container