diff --git a/docker/docker-compose.override.yaml.example b/docker/docker-compose.override.yaml.example
index 01690df8..e6ebfd4a 100644
--- a/docker/docker-compose.override.yaml.example
+++ b/docker/docker-compose.override.yaml.example
@@ -15,7 +15,9 @@ services:
       # - ./data/chatmail-dkimkeys:/etc/dkimkeys
       # - ./data/chatmail-acme:/var/lib/acme
 
-      ## Or mount data from an existing bare-metal install:
+      ## Or mount data from an existing bare-metal install.
+      ## Note: DKIM key ownership is fixed automatically on startup
+      ## (the host's opendkim UID may differ from the container's).
       # - /home/vmail:/home/vmail
       # - /etc/dkimkeys:/etc/dkimkeys
       # - /var/lib/acme:/var/lib/acme
diff --git a/docker/files/setup_chatmail_docker.sh b/docker/files/setup_chatmail_docker.sh
index f39a6980..69ec6542 100755
--- a/docker/files/setup_chatmail_docker.sh
+++ b/docker/files/setup_chatmail_docker.sh
@@ -15,8 +15,8 @@ fi
 if [ ! -f /etc/dkimkeys/opendkim.private ]; then
     /usr/sbin/opendkim-genkey -D /etc/dkimkeys -d "$MAIL_DOMAIN" -s opendkim
 fi
-chown opendkim:opendkim /etc/dkimkeys/opendkim.private
-chown opendkim:opendkim /etc/dkimkeys/opendkim.txt
+# Fix ownership for bind-mounted keys (host opendkim UID may differ from container)
+chown -R opendkim:opendkim /etc/dkimkeys
 
 # Create chatmail.ini (skips if file already exists, e.g. volume-mounted)
 mkdir -p "$(dirname "$CHATMAIL_INI")"