diff --git a/dkim.nix b/dkim.nix
index 0600984..350f633 100644
--- a/dkim.nix
+++ b/dkim.nix
@@ -1,41 +1,7 @@
 { config, lib, pkgs, ... }:
 
 with lib;
-let
-  cfg = config.fudo.mail.dkim;
-
-  ensureDomainDkimCert = keyDir: domain:
-    let
-      dkimKey = "${keyDir}/${domain}.${cfg.selector}.key";
-      dkimTxt = "${keyDir}/${domain}.${cfg.selector}.txt";
-    in ''
-      if [ ! -f "${dkimKey}" ] || [ ! -f ${dkimTxt} ]; then
-        OUT=$(${pkgs.coreutils}/bin/mktemp -d -t dkim-XXXXXXXXXX)
-        opendkim-genkey \
-          --selector=${cfg.selector} \
-          --domain=${domain} \
-          --bits="${toString cfg.key-bits}" \
-          --directory=$OUT
-        mv $OUT/${cfg.selector}.private ${dkimKey}
-        mv $OUT/${cfg.selector}.txt ${dkimTxt}
-      fi
-    '';
-
-  ensureAllDkimCerts = keyDir: domains:
-    concatStringsSep "\n" (map (ensureDomainDkimCert keyDir) domains);
-
-  makeKeyTable = keyDir: domains:
-    pkgs.writeTextDir "key.table" (concatStrings (map (dom: ''
-      ${dom} ${dom}:${cfg.selector}:${keyDir}/${dom}.${cfg.selector}.key
-    '') domains));
-
-  makeSigningTable = domains:
-    pkgs.writeTextDir "signing.table" (concatStrings (map (dom: ''
-      ${dom} ${dom}
-    '') domains));
-
-  keyTableDir = makeKeyTable cfg.state-directory cfg.domains;
-  signingTableDir = makeSigningTable cfg.domains;
+let cfg = config.fudo.mail.dkim;
 
 in {
   options.fudo.mail.dkim = with types; {
@@ -55,19 +21,6 @@ in {
       default = "mail";
     };
 
-    key-bits = mkOption {
-      type = int;
-      description = ''
-        How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
-
-        If you have already deployed a key with a different number of bits than specified
-        here, then you should use a different selector (dkimSelector). In order to get
-        this package to generate a key with the new number of bits, you will either have to
-        change the selector or delete the old key file.
-      '';
-      default = 2048;
-    };
-
     port = mkOption {
       type = port;
       description = "Port at which to listen for incoming signing requests.";
@@ -100,28 +53,8 @@ in {
       in pkgs.writeText "opendkim.conf" ''
         Canonicalization relaxed/simple
         Socket inet:${toString cfg.port}
-        # KeyTable file:${keyTableDir}/key.table
-        # SigningTable file:${signingTableDir}/signing.table
         ${optionalString cfg.debug debugString}
       '';
     };
-
-    systemd = {
-      tmpfiles.rules = let
-        user = config.services.opendkim.user;
-        group = config.services.opendkim.group;
-      in [ "d ${cfg.state-directory} 0700 ${user} ${group} - -" ];
-      services.opendkim = {
-        path = with pkgs; [ opendkim ];
-        serviceConfig = {
-          # ExecStartPre = [
-          #   (pkgs.writeShellScript "ensure-dkim-certs.sh"
-          #     (ensureAllDkimCerts cfg.state-directory cfg.domains))
-          # ];
-          ReadWritePaths = [ cfg.state-directory ];
-          ReadOnlyPaths = [ keyTableDir signingTableDir ];
-        };
-      };
-    };
   };
 }
diff --git a/mail-server.nix b/mail-server.nix
index 313192c..d66cd82 100644
--- a/mail-server.nix
+++ b/mail-server.nix
@@ -459,7 +459,7 @@ in {
           dkim = {
             service = {
               networks = [ "internal_network" ];
-              volumes = [ "${cfg.state-directory}/dkim:/state" ];
+              volumes = [ "${cfg.state-directory}/dkim:/var/lib/opendkim" ];
             };
             nixos = {
               useSystemd = true;