diff --git a/target/bin/rspamd-dkim b/target/bin/rspamd-dkim
index 357c2a9c..6dfcc1a0 100755
--- a/target/bin/rspamd-dkim
+++ b/target/bin/rspamd-dkim
@@ -62,13 +62,6 @@ ${ORANGE}EXIT STATUS${RESET}
 "
 }
 
-function __do_as_rspamd_user() {
-  local COMMAND=${1:?Command required when using __do_as_rspamd_user}
-  _log 'trace' "Running '${*}' as user '_rspamd' now"
-  shift 1
-  su -l '_rspamd' -s "$(command -v "${COMMAND}")" -- "${@}"
-}
-
 function _parse_arguments() {
   FORCE=0
   KEYTYPE='rsa'
diff --git a/target/scripts/helpers/rspamd.sh b/target/scripts/helpers/rspamd.sh
index 868e3d3a..2f4dcc46 100644
--- a/target/scripts/helpers/rspamd.sh
+++ b/target/scripts/helpers/rspamd.sh
@@ -2,6 +2,18 @@
 
 # shellcheck disable=SC2034 # VAR appears unused.
 
+# Perform a specific command as the Rspamd user (`_rspamd`). This is useful
+# in case you want to have correct permissions on newly created files or if
+# you want to check whether Rspamd can perform a specific action.
+function __do_as_rspamd_user() {
+  _log 'trace' "Running '${*}' as user '_rspamd'"
+  su _rspamd -s /bin/bash -c "${*}"
+}
+
+# Calling this function brings common Rspamd-related environment variables
+# into the current context. The environment variables are `readonly`, i.e.
+# they cannot be modified. Use this function when you require common directory
+# names, file names, etc.
 function _rspamd_get_envs() {
   readonly RSPAMD_LOCAL_D='/etc/rspamd/local.d'
   readonly RSPAMD_OVERRIDE_D='/etc/rspamd/override.d'
diff --git a/target/scripts/startup/setup.d/security/rspamd.sh b/target/scripts/startup/setup.d/security/rspamd.sh
index 19ce75dc..239397e5 100644
--- a/target/scripts/startup/setup.d/security/rspamd.sh
+++ b/target/scripts/startup/setup.d/security/rspamd.sh
@@ -23,6 +23,9 @@ function _setup_rspamd() {
     __rspamd__setup_check_authenticated
     _rspamd_handle_user_modules_adjustments   # must run last
 
+    # only performing checks, no further setup handled from here onwards
+    __rspamd__check_dkim_permissions
+
     __rspamd__log 'trace' '----------  Setup finished  ----------'
   else
     _log 'debug' 'Rspamd is disabled'
@@ -280,6 +283,12 @@ function __rspamd__setup_hfilter_group() {
   fi
 }
 
+# If 'RSPAMD_CHECK_AUTHENTICATED' is enabled, then content checks for all users, i.e.
+# also for authenticated users, are performed.
+#
+# The default that DMS ships does not check authenticated users. In case the checks are
+# enabled, this function will remove the part of the Rspamd configuration that disables
+# checks for authenticated users.
 function __rspamd__setup_check_authenticated() {
   local MODULE_FILE="${RSPAMD_LOCAL_D}/settings.conf"
   readonly MODULE_FILE
@@ -294,3 +303,35 @@ function __rspamd__setup_check_authenticated() {
       "${MODULE_FILE}"
   fi
 }
+
+# This function performs a simple check: go through DKIM configuration files, acquire
+# all private key file locations and check whether they exist and whether they can be
+# accessed by Rspamd.
+function __rspamd__check_dkim_permissions() {
+  local DKIM_CONF_FILES DKIM_KEY_FILES
+  [[ -f ${RSPAMD_LOCAL_D}/dkim_signing.conf ]] && DKIM_CONF_FILES+=("${RSPAMD_LOCAL_D}/dkim_signing.conf")
+  [[ -f ${RSPAMD_OVERRIDE_D}/dkim_signing.conf ]] && DKIM_CONF_FILES+=("${RSPAMD_OVERRIDE_D}/dkim_signing.conf")
+
+  # Here, we populate DKIM_KEY_FILES which we later iterate over. DKIM_KEY_FILES
+  # contains all keys files configured by the user.
+  local FILE
+  for FILE in "${DKIM_CONF_FILES[@]}"; do
+    readarray -t DKIM_KEY_FILES_TMP < <(grep -o -E 'path = .*' "${FILE}" | cut -d '=' -f 2 | tr -d ' ";')
+    DKIM_KEY_FILES+=("${DKIM_KEY_FILES_TMP[@]}")
+  done
+
+  for FILE in "${DKIM_KEY_FILES[@]}"; do
+    if [[ -f ${FILE} ]]; then
+      __rspamd__log 'trace' "Checking DKIM file '${FILE}'"
+      # See https://serverfault.com/a/829314 for an explanation on `-exec false {} +`
+      # We additionally resolve symbolic links to check the permissions of the actual files
+      if find "$(realpath -eL "${FILE}")" -user _rspamd -or -group _rspamd -or -perm -o=r -exec false {} +; then
+        __rspamd__log 'warn' "Rspamd DKIM private key file '${FILE}' does not appear to have correct permissions/ownership for Rspamd to use it"
+      else
+        __rspamd__log 'trace' "DKIM file '${FILE}' permissions and ownership appear correct"
+      fi
+    else
+      __rspamd__log 'warn' "Rspamd DKIM private key file '${FILE}' is configured for usage, but does not appear to exist"
+    fi
+  done
+}