diff --git a/playbooks/apollo.yml b/playbooks/apollo.yml
index e9570039d3571279c2c5adb63a16ea547461c49b..27ce06f9ec454a738c34e4b18e7297fdc99dc993 100644
--- a/playbooks/apollo.yml
+++ b/playbooks/apollo.yml
@@ -30,7 +30,6 @@
     - { role: rspamd, tags: ["mail"] }
     - { role: unbound, tags: ["mail"] }
     - { role: postfix, postfix_relayhost: "mail.archlinux.org", postfix_smtpd_public: true, postfix_patchwork_enabled: true, tags: ["mail"] }
-    - { role: opendkim, dkim_selector: apollo, tags: ['mail'] }
     - { role: postfwd, tags: ['mail'] }
     - role: postgres
       postgres_listen_addresses: "*"
diff --git a/playbooks/mail.archlinux.org.yml b/playbooks/mail.archlinux.org.yml
index e7a91e4d214072cc1b3250a38ea333b23d9c9c2a..f06f7ab0f6228e975f0488c35e28af2200ccf6f9 100644
--- a/playbooks/mail.archlinux.org.yml
+++ b/playbooks/mail.archlinux.org.yml
@@ -15,5 +15,4 @@
     - { role: postfwd, tags: ['mail'] }
     - { role: archusers }
     - { role: fail2ban }
-    - { role: opendkim, dkim_selector: mail, tags: ['mail'] }
     - { role: prometheus_exporters }
diff --git a/roles/opendkim/handlers/main.yml b/roles/opendkim/handlers/main.yml
deleted file mode 100644
index b492603cbf76ee8cbb9eb2541d2cd07ccc140375..0000000000000000000000000000000000000000
--- a/roles/opendkim/handlers/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-
-- name: restart opendkim
-  service: name=opendkim state=restarted
-
diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml
deleted file mode 100644
index 895a8afdbf686877046e707d46ce9ce074540c54..0000000000000000000000000000000000000000
--- a/roles/opendkim/tasks/main.yml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-
-- name: install opendkim
-  pacman: name=opendkim state=present
-
-- name: install opendkim.conf
-  template: src=opendkim.conf.j2 dest=/etc/opendkim/opendkim.conf owner=root group=root mode=0644
-  notify:
-    - restart opendkim
-
-- name: create opendkim spool directory
-  file: path="/var/spool/opendkim/" state=directory owner=opendkim group=postfix mode=0750
-
-- name: install domains config
-  template: src=domains.j2 dest=/etc/opendkim/domains owner=root group=root mode=0644
-  notify:
-    - restart opendkim
-
-- name: create dkim key directory
-  file: path="/etc/opendkim/private" state=directory owner=root group=root mode=0700
-
-- name: generate DKIM key for {{ dkim_selector }}
-  command: opendkim-genkey -r -s {{ dkim_selector }} -d archlinux.org --bits=4096
-  args:
-    creates: /etc/opendkim/private/{{ dkim_selector }}.private
-    chdir: /etc/opendkim/private
-
-# see README.md for instruction on how to add the key to DNS. This will fail unless the key in DNS is correct!
-- name: verify key in dns
-  command: opendkim-testkey -d archlinux.org -s {{ dkim_selector }} -k /etc/opendkim/private/{{ dkim_selector }}.private -vvv
-  tags:
-    - dkimverify
-  changed_when: false
-
-- name: start and enable opendkim
-  service: name=opendkim enabled=yes state=started
-
diff --git a/roles/opendkim/templates/domains.j2 b/roles/opendkim/templates/domains.j2
deleted file mode 100644
index 72ce5b29762eed1896a0373ba5acc77409124f67..0000000000000000000000000000000000000000
--- a/roles/opendkim/templates/domains.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-{# TODO check for mailman and add lists.archlinux.org to this list #}
-archlinux.org
-
diff --git a/roles/opendkim/templates/opendkim.conf.j2 b/roles/opendkim/templates/opendkim.conf.j2
deleted file mode 100644
index 2b45d59fe34a9349600994eb6e7e2c3402e13440..0000000000000000000000000000000000000000
--- a/roles/opendkim/templates/opendkim.conf.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-AlwaysAddARHeader       yes
-Canonicalization        relaxed/simple
-Domain                  file:/etc/opendkim/domains
-KeyFile                 /etc/opendkim/private/{{dkim_selector}}.private
-Selector                {{dkim_selector}}
-Socket                  local:/var/spool/opendkim/opendkim
-Syslog                  Yes
-SyslogSuccess           Yes
-UMask                   007
-UserID                   opendkim:postfix
-
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
index 898e3c84421bd7d011071dcf205798f0e40dbd5e..d2309f18bdb78b8e019548ea9968edb176374d13 100644
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -165,8 +165,8 @@ submission_recipient_restrictions=
   permit_sasl_authenticated,
   reject
 
-smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332
-non_smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332
+smtpd_milters=inet:localhost:11332
+non_smtpd_milters=inet:localhost:11332
 
 # Pass internal mails through filters so they get signed by opendkim
 # XXX: Be careful not to have filters that may reject mails!
diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2
index 25afbade0704220b6016337bddc2d6a2f1f02d24..5b64a2a5983d1bfaa71018f6eea3329acd05e3ad 100644
--- a/roles/postfix/templates/master.cf.j2
+++ b/roles/postfix/templates/master.cf.j2
@@ -30,7 +30,6 @@ submission inet n       -       n       -       -       smtpd
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_recipient_restrictions=$submission_recipient_restrictions
     -o smtpd_client_connection_count_limit=10
-    #-o smtpd_milters=unix:/var/spool/opendkim/opendkim
 {% endif %}
 
 #smtp      inet  n       -       n       -       1       postscreen
diff --git a/roles/rspamd/files/local.d/dkim_signing.conf b/roles/rspamd/files/local.d/dkim_signing.conf
new file mode 100644
index 0000000000000000000000000000000000000000..e5c764895c314cf94009776c976bc8d059d3be6d
--- /dev/null
+++ b/roles/rspamd/files/local.d/dkim_signing.conf
@@ -0,0 +1,23 @@
+domain {
+  archlinux.org {
+    selectors [
+      {
+        selector = "dkim-ed25519";
+        path = "/var/lib/rspamd/dkim/archlinux.org.dkim-ed25519.key";
+      },
+      {
+        selector = "dkim-rsa";
+        path = "/var/lib/rspamd/dkim/archlinux.org.dkim-rsa.key";
+      }
+    ]
+  }
+}
+
+check_pubkey = true;
+allow_pubkey_mismatch = false;
+allow_hdrfrom_mismatch = false;
+allow_hdrfrom_mismatch_sign_networks = true;
+allow_username_mismatch = true;
+use_domain = "header";
+sign_authenticated = true;
+use_esld = true;
diff --git a/roles/rspamd/tasks/main.yml b/roles/rspamd/tasks/main.yml
index 21066628f82e86f4ae3976d56f22e151a9b8643b..41c2a4ea257928cefed04560932cd88db285207c 100644
--- a/roles/rspamd/tasks/main.yml
+++ b/roles/rspamd/tasks/main.yml
@@ -7,5 +7,31 @@
   notify:
     - reload rspamd
 
+- name: create rspamd dkim directory
+  file: path=/var/lib/rspamd/dkim state=directory owner=rspamd group=rspamd mode=0755
+
+- name: generate DKIM keys
+  command: rspamadm dkim_keygen -s dkim-{{ item.key_type }} -b {{ item.key_length }} -d archlinux.org -t {{ item.key_type }} -k archlinux.org.dkim-{{ item.key_type }}.key > archlinux.org.dkim-{{ item.key_type }}.key.pub
+  become: yes
+  become_user: rspamd
+  args:
+    creates: /var/lib/rspamd/dkim/archlinux.org.dkim-{{ item.key_type }}.key
+    chdir: /var/lib/rspamd/dkim
+  loop:
+    - {key_type: 'ed25519', key_length: 0}
+    - {key_type: 'rsa', key_length: 4096}
+  notify:
+    - reload rspamd
+  tags:
+    - generate_dkim_keys
+
+- name: install DKIM keys
+  copy: src={{ item }} dest=/var/lib/rspamd/dkim/ owner=rspamd group=rspamd mode=0600
+  loop:
+    - archlinux.org.dkim-ed25519.key
+    - archlinux.org.dkim-rsa.key
+  notify:
+    - reload rspamd
+
 - name: start and enable rspamd
   service: name=rspamd enabled=yes state=started