diff --git a/core/admin/mailu/internal/views/rspamd.py b/core/admin/mailu/internal/views/rspamd.py
index b6ead86b..a513a113 100644
--- a/core/admin/mailu/internal/views/rspamd.py
+++ b/core/admin/mailu/internal/views/rspamd.py
@@ -2,6 +2,7 @@ from mailu import models
 from mailu.internal import internal
 
 import flask
+import idna
 
 def vault_error(*messages, status=404):
     return flask.make_response(flask.jsonify({'errors':messages}), status)
@@ -19,7 +20,16 @@ def rspamd_dkim_key(domain_name):
         if key := domain.dkim_key:
             selectors.append(
                 {
-                    'domain'  : domain.name,
+                    'domain'  : idna.encode(domain.name.lower()).decode('ascii'),
+                    'key'     : key.decode('utf8'),
+                    'selector': flask.current_app.config.get('DKIM_SELECTOR', 'dkim'),
+                }
+            )
+    elif domain := models.Alternative.query.get(domain_name):
+        if key := domain.domain.dkim_key:
+            selectors.append(
+                {
+                    'domain'  : idna.encode(domain.name.lower()).decode('ascii'),
                     'key'     : key.decode('utf8'),
                     'selector': flask.current_app.config.get('DKIM_SELECTOR', 'dkim'),
                 }
diff --git a/towncrier/newsfragments/3758.bugfix b/towncrier/newsfragments/3758.bugfix
new file mode 100644
index 00000000..5d38b191
--- /dev/null
+++ b/towncrier/newsfragments/3758.bugfix
@@ -0,0 +1 @@
+domain name of an IDN domain in the DKIM signature needs to follow RFC6376; puny encoding the domain name when rspamd accesses the vault;