diff --git a/dkim.nix b/dkim.nix
index c4aedb9..eb5b9d4 100644
--- a/dkim.nix
+++ b/dkim.nix
@@ -117,6 +117,7 @@ in {
               (ensureAllDkimCerts cfg.state-directory cfg.domains))
           ];
           ReadWritePaths = [ cfg.state-directory ];
+          ReadOnlyPaths = [ (dirOf keyTable) (dirOf signingTable) ];
         };
       };
     };