diff --git a/CHANGES b/CHANGES
index e39da13..2d51516 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,8 @@
  - Fix crash when verifying if domain for signing was not set
  - Fix header folding to use \n only to align with milter protocol
    requirements
+ - Added information about creating a dedicated user and PID file directory
+   creation to README
 
 0.9.3 2018-03-02
  - Fixup csl dataset processing for single item lists
diff --git a/README b/README
index 0007224..279292a 100644
--- a/README
+++ b/README
@@ -32,6 +32,17 @@ used, they will need to be updated.  The sysv init file is Debian specific and
 untested, since the developers are not using sysv init.  Feedback/patches
 welcome.
 
+The dkimpy-milter drops priviledges after setup to the user/group specified in
+UserID.  During initial setup, this system user needs to be manually created.
+As an example, using the default dkimpy-user on Debian, the command would be:
+
+[sudo] adduser --system --no-create-home --quiet --disabled-password \
+               --disabled-login --shell /bin/false --group \
+               --home /var/run/dkimpy-milter dkimpy-milter
+
+Since /var/run or /run is sometimes on a tempfs, if the PID file directory is
+missing, the milter will create it on startup.
+
 The python DKIM library, dkimpy, requires the entire message being signed or
 verified to be in memory, so dkimpy-milter does not write messages out to a temp
 file.  This may impact performance on low-memory systems.