diff --git a/non-critical-infra/hosts/umbriel.nixos.org/README.md b/non-critical-infra/hosts/umbriel.nixos.org/README.md
new file mode 100644
index 00000000..10d7c685
--- /dev/null
+++ b/non-critical-infra/hosts/umbriel.nixos.org/README.md
@@ -0,0 +1,7 @@
+# `umbriel`
+
+## Provisioning
+
+If you recreate `umbriel`, it will generate a new `DKIM` signature. That's
+ok to do, but you'll need to update the corresponding `mail._domainkey.*` `TXT`
+DNS record.
diff --git a/terraform/dns.tf b/terraform/dns.tf
index 8e111b8f..d3e3bd45 100644
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@@ -343,8 +343,11 @@ locals {
       type     = "TXT"
       value    = "v=spf1 a:mail-test.nixos.org -all"
     },
-    # TODO: create `DKIM` TXT record: <https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html#set-dkim-signature>.
-    #       (can't do this until after SNM is deployed: https://github.com/NixOS/infra/pull/495/)
+    {
+      hostname = "mail._domainkey.mail-test.nixos.org"
+      type     = "TXT"
+      value = "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTLW88xioTw4YUMSBw2+RO1+ASTbWNsqDwrpCmA+ikru4cWLEkx2JVEcms4Uxqrk2A8Qhfjvc8Oe026HdTXiTNEb9e+Sh0d/IR/eH5MFhiSUGrahZBx1FGVvMf5zfjYWZXn+7oXW8zNpxWd042hLMcY14G8v+/OBQ9IJL+ja3wFwIDAQAB"
+    },
     {
       hostname = "_dmarc.mail-test.nixos.org"
       type     = "TXT"