diff --git a/postfix-dkim/recipes/default.rb b/postfix-dkim/recipes/default.rb
index 393dbb2..6e08a45 100644
--- a/postfix-dkim/recipes/default.rb
+++ b/postfix-dkim/recipes/default.rb
@@ -18,6 +18,7 @@
 #
 
 package 'opendkim'
+package 'opendkim-tools'
 
 template "/etc/opendkim.conf" do
   source "opendkim.conf.erb"
@@ -44,10 +45,16 @@
   EOH
 end
 
+group "opendkim" do
+  action :modify
+  members "postfix"
+  append true
+end
+
 service "opendkim" do
   action :start
 end
 
 service "postfix" do
   action :restart
-end
\ No newline at end of file
+end
diff --git a/postfix-dkim/templates/default/opendkim.conf.erb b/postfix-dkim/templates/default/opendkim.conf.erb
index a193aff..fc088a1 100644
--- a/postfix-dkim/templates/default/opendkim.conf.erb
+++ b/postfix-dkim/templates/default/opendkim.conf.erb
@@ -6,7 +6,7 @@
 Syslog			yes
 # Required to use local socket with MTAs that access the socket as a non-
 # privileged user (e.g. Postfix)
-#UMask			002
+UMask			002
 
 # Sign for example.com with key in /etc/mail/dkim.key using
 # selector '2007' (e.g. 2007._domainkey.example.com)
@@ -24,7 +24,8 @@ SignatureAlgorithm	rsa-sha256
 SubDomains		no
 #ADSPDiscard		no
 #Version		rfc4871
-X-Header		no
+X-Header		yes
+OversignHeaders   From
 
 ###############################################
 # Other (less-standard) configuration options #
@@ -55,4 +56,4 @@ X-Header		no
 # be passed through
 #RequiredHeaders	yes
 
-<%= "SenderHeaders #{node[:postfix_dkim][:sender_headers]}" if node[:postfix_dkim][:sender_headers] %>
\ No newline at end of file
+<%= "SenderHeaders #{node[:postfix_dkim][:sender_headers]}" if node[:postfix_dkim][:sender_headers] %>