diff --git a/CHANGES b/CHANGES
index 575c54eb9..eb2797590 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1620,4 +1620,5 @@
 * Allow apps to be relocated to custom data directory
 * Make all cloudron env vars have CLOUDRON_ prefix
 * Update manifest version to 2
+* Fix issue where DKIM keys were inaccessible
 
diff --git a/src/mail.js b/src/mail.js
index f719417b4..8396f4193 100644
--- a/src/mail.js
+++ b/src/mail.js
@@ -797,6 +797,9 @@ function ensureDkimKeySync(domain) {
 
     if (!safe.fs.writeFileSync(dkimSelectorFile, constants.DKIM_SELECTOR, 'utf8')) return new MailError(MailError.INTERNAL_ERROR, safe.error);
 
+    // if the 'yellowtent' user of OS and the 'cloudron' user of mail container don't match, the keys become inaccessible by mail code
+    if (!safe.fs.chmodSync(dkimPrivateKeyFile, 0o644)) return new MailError(MailError.INTERNAL_ERROR, safe.error);
+
     return null;
 }