[exim] dkim_private_key and file permissions

I use Exim on FreeBSD which runs as (mailnull, mail)

I have a private SSL key for this host, protected by a group.

# ls -l /etc/ssl/local.key
-rw-r----- 1 root ssl 1679 Oct 14 2018 /etc/ssl/local.key

Applications can use the private key either because they:

a) start as root, and drop priviledges
b) are in the 'ssl' unix group

For Exim, (a) is fine and works for tls_privatekey.

But now I am enabling DKIM, I find the file cannot be read:

unable to open file for reading: /etc/ssl/local.key

Presumably this is after switching root->mailnull.

Adding 'mailnull' to the 'ssl' group dooesn't work; seemingly because exim
doesn't call initgroups(). Should it?

What's the best practice here? I don't want to make the private key
'world' readable to all users on the host.

Thanks

--
Mark