diff --git a/data/conf/rspamd/local.d/dkim_signing.conf b/data/conf/rspamd/local.d/dkim_signing.conf
index 4ffb5544..b87f89c8 100644
--- a/data/conf/rspamd/local.d/dkim_signing.conf
+++ b/data/conf/rspamd/local.d/dkim_signing.conf
@@ -1,13 +1,13 @@
 # If false, messages with empty envelope from are not signed
 allow_envfrom_empty = false;
 # If true, envelope/header domain mismatch is ignored
-allow_hdrfrom_mismatch = true;
+allow_hdrfrom_mismatch = false;
 # If true, multiple from headers are allowed (but only first is used)
 allow_hdrfrom_multiple = true;
 # If true, username does not need to contain matching domain
 allow_username_mismatch = true;
 # If false, messages from authenticated users are not selected for signing
-auth_only = false;
+auth_only = true;
 # Default path to key, can include '$domain' and '$selector' variables
 path = "/data/dkim/keys/$domain.dkim";
 # Default selector to use