diff --git a/abra.sh b/abra.sh
index 4a22f5d..b1e67dc 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,5 +1,5 @@
-export CORE_ENTRYPOINT_CONF_VERSION=v1
-export MAILMAN_EXTRA_CFG_VERSION=v1
+export CORE_ENTRYPOINT_CONF_VERSION=v3
+export MAILMAN_EXTRA_CFG_VERSION=v2
 export NGINX_CONF_VERSION=v1
 export SETTINGS_LOCAL_VERSION=v2
 export WEB_ENTRYPOINT_CONF_VERSION=v1
diff --git a/compose.yml b/compose.yml
index 46a89e5..5828e6f 100644
--- a/compose.yml
+++ b/compose.yml
@@ -30,9 +30,10 @@ services:
       - MTA=postfix
       - SMTP_HOST
       - SMTP_PORT
+      - DOMAIN=lists-test.autonomic.zone
     configs:
       - source: mailman_extra_cfg
-        target: /opt/mailman/core/mailman-extra.cfg
+        target: /opt/mailman/mailman-extra.cfg
       - source: core_entrypoint_sh
         target: /usr/local/bin/docker-entrypoint-custom.sh
         mode: 0555
diff --git a/entrypoint.core.sh.tmpl b/entrypoint.core.sh.tmpl
index e4fe3d1..f31469d 100644
--- a/entrypoint.core.sh.tmpl
+++ b/entrypoint.core.sh.tmpl
@@ -39,6 +39,19 @@ export DATABASE_URL="postgres://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE
 sed "/192.168/d" /etc/hosts > /etc/hosts-single-hostname
 cat /etc/hosts-single-hostname > /etc/hosts
 
+# Diabolical hack to generate DKIM key for ARC, see:
+# https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/arc_sign.html
+# https://gitlab.com/mailman/mailman/blob/master/src/mailman/config/schema.cfg#L655-734
+
+apk add openssl
+
+dkim_private_key_file="/opt/mailman/dkim-{{ env "DOMAIN" }}.pem"
+if [ ! -f "$dkim_private_key_file" ]; then
+  openssl genrsa -out "$dkim_private_key_file" 2048
+fi
+dkim_pub_key=$(openssl rsa -in "$dkim_private_key_file" -pubout -outform der 2>/dev/null | openssl base64 -A)
+echo "DKIM public key: $dkim_pub_key" 
+
 # --- upstream entrypoint below ---
 
 function wait_for_postgres () {
diff --git a/mailman-extra.cfg.tmpl b/mailman-extra.cfg.tmpl
index 6f8f9b2..1cc55d0 100644
--- a/mailman-extra.cfg.tmpl
+++ b/mailman-extra.cfg.tmpl
@@ -17,3 +17,19 @@ configuration: /etc/postfix-mailman.cfg
 # bounce from a list owner), will be sent to this address.  It should point to
 # a human.
 site_owner: {{ env "MAILMAN_ADMIN_EMAIL" }}
+
+[ARC]
+enabled: yes
+dmarc: yes
+dkim: yes
+authserv_id: {{ env "DOMAIN" }}
+
+privkey: /opt/mailman/dkim-{{ env "DOMAIN" }}.pem
+selector: dkim
+domain: {{ env "DOMAIN" }}
+
+# This configures the headers that will be cryptographically signed
+# This list is what is recommended by the DKIM & ARC specifications.
+# Inclusion of the From header is mandatory.
+sig_headers: From, Sender, Reply-To, Subject, Date, Message-ID, To, Cc, MIME-Version, Content-Type, Content-Transfer-Encoding, Content-ID, Content-Description, Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc, Resent-Message-ID, In-Reply-To, References, List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive
+