diff --git a/dovecot/keyproxy.go b/dovecot/keyproxy.go
index f140cea2710a5a4daca62559df199262cac8d9ff..3156cb4df3f4311e16008f80c9843491ac68e596 100644
--- a/dovecot/keyproxy.go
+++ b/dovecot/keyproxy.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/base64"
 	"errors"
+	"log"
 	"strings"
 
 	"git.autistici.org/ai3/go-common/clientutil"
@@ -96,8 +97,10 @@ func (s *KeyLookupProxy) Lookup(ctx context.Context, key string) (interface{}, b
 func (s *KeyLookupProxy) lookupUserdb(ctx context.Context, username string) (interface{}, bool) {
 	pub := s.db.GetPublicKey(ctx, username)
 	if pub == nil {
+		log.Printf("failed userdb lookup for %s", username)
 		return nil, false
 	}
+	log.Printf("userdb lookup for %s", username)
 	return &userdbResponse{PublicKey: b64encode(pub)}, true
 }
 
@@ -106,6 +109,7 @@ func (s *KeyLookupProxy) lookupPassdb(ctx context.Context, username, password st
 	// unencrypted key from the keystore daemon.
 	priv, err := s.keystore.Get(ctx, s.config.Shard, username, password)
 	if err == nil {
+		log.Printf("passdb lookup for %s (from keystore)", username)
 		return &passdbResponse{PrivateKey: b64encode(priv)}, true
 	}
 
@@ -113,12 +117,15 @@ func (s *KeyLookupProxy) lookupPassdb(ctx context.Context, username, password st
 	// decrypt them.
 	encKeys := s.db.GetPrivateKeys(ctx, username)
 	if len(encKeys) == 0 {
+		log.Printf("failed passdb lookup for %s (no keys)", username)
 		return nil, false
 	}
 	priv, err = userenckey.Decrypt(encKeys, []byte(password))
 	if err != nil {
+		log.Printf("failed passdb lookup for %s (could not decrypt key)", username)
 		return nil, false
 	}
+	log.Printf("passdb lookup for %s (decrypted)", username)
 	return &passdbResponse{PrivateKey: b64encode(priv)}, true
 }