diff --git a/setup/dkim.sh b/setup/dkim.sh
index 4ef82419..56d5c3fc 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -60,6 +60,10 @@ tools/editconf.py /etc/opendmarc.conf -s \
 #
 # Be careful. If we add other milters later, this needs to be concatenated
 # on the smtpd_milters line.
+#
+# The OpenDMARC milter is skipped in the SMTP submission listener by
+# configuring smtpd_milters there to only list the OpenDKIM milter
+# (see mail-postfix.sh).
 tools/editconf.py /etc/postfix/main.cf \
 	"smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893"\
 	non_smtpd_milters=\$smtpd_milters \
diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh
index f467f2fd..f3cfc065 100755
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -62,6 +62,9 @@ tools/editconf.py /etc/postfix/main.cf \
 
 # Enable the 'submission' port 587 smtpd server and tweak its settings.
 #
+# * Do not add the OpenDMAC Authentication-Results header. That should only be added
+#   on incoming mail. Omit the OpenDMARC milter by re-setting smtpd_milters to the
+#   OpenDKIM milter only. See dkim.sh.
 # * Require the best ciphers for incoming connections per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
 #   By putting this setting here we leave opportunistic TLS on incoming mail at default cipher settings (any cipher is better than none).
 # * Give it a different name in syslog to distinguish it from the port 25 smtpd server.
@@ -71,6 +74,7 @@ tools/editconf.py /etc/postfix/main.cf \
 tools/editconf.py /etc/postfix/master.cf -s -w \
 	"submission=inet n       -       -       -       -       smtpd
 	  -o syslog_name=postfix/submission
+	  -o smtpd_milters=inet:127.0.0.1:8891
 	  -o smtpd_tls_ciphers=high -o smtpd_tls_protocols=!SSLv2,!SSLv3
 	  -o cleanup_service_name=authclean" \
 	"authclean=unix  n       -       -       -       0       cleanup