diff --git a/cmdeploy/src/cmdeploy/opendkim/final.lua b/cmdeploy/src/cmdeploy/opendkim/final.lua
index 2779e38d..ee17aeec 100644
--- a/cmdeploy/src/cmdeploy/opendkim/final.lua
+++ b/cmdeploy/src/cmdeploy/opendkim/final.lua
@@ -28,8 +28,8 @@ for i = 1, nsigs do
 	end
 end
 
-if valid then
-	-- Strip all DKIM-Signature headers after successful validation
+if not valid then
+	odkim.set_reply(ctx, "554", "5.7.1", "No valid DKIM signature found")
 	-- Delete in reverse order to avoid index shifting.
 	for i = nsigs, 1, -1 do
 		odkim.del_header(ctx, "DKIM-Signature", i)
@@ -37,6 +37,13 @@ if valid then
 else
 	odkim.set_reply(ctx, "554", "5.7.1", error_msg)
 	odkim.set_result(ctx, SMFIS_REJECT)
+	return nil
+end
+
+-- Valid signature found. Strip all DKIM-Signature headers
+-- Delete in reverse order to avoid index shifting.
+for i = nsigs, 1, -1 do
+	odkim.del_header(ctx, "DKIM-Signature", i)
 end
 
 return nil
diff --git a/doc/source/overview.rst b/doc/source/overview.rst
index e878db80..51e97d4d 100644
--- a/doc/source/overview.rst
+++ b/doc/source/overview.rst
@@ -272,8 +272,8 @@ by OpenDKIM screen policy script before validating the signatures. This
 corresponds to strict :rfc:`DMARC <7489>` alignment (``adkim=s``).
 If there is no valid DKIM signature on the incoming email, the
 sender receives a “5.7.1 No valid DKIM signature found” error.
-After validating the DKIM signature,
-the `final.lua` script strips all ``OpenDKIM:`` headers to reduce message size on disc.
+After validating the DKIM signature, OpenDKIM strips all ``OpenDKIM:`` headers to
+reduce message size.
 
 Note that chatmail relays