DKIM Key Length: Choosing Between 1024-bit and 2048-bit Keys
Learn about DKIM key lengths, why 2048-bit keys are recommended, how to check your current key size, and how to rotate to stronger keys.
DKIM uses cryptographic keys to sign emails, and the key length determines how secure that signature is. While 1024-bit keys were once standard, 2048-bit keys are now the recommended minimum. Here's what you need to know about DKIM key lengths.
Understanding DKIM Key Length
DKIM uses RSA public-key cryptography. The key length (measured in bits) determines:
- Security strength — Longer keys are harder to crack
- DNS record size — Longer keys require larger TXT records
- Computational cost — Longer keys take slightly more processing
| Key Length | Security Level | Status |
|---|---|---|
| 512-bit | Insecure | Never use—easily cracked |
| 768-bit | Weak | Deprecated—not recommended |
| 1024-bit | Moderate | Legacy—consider upgrading |
| 2048-bit | Strong | Current recommendation |
| 4096-bit | Very strong | Overkill for most; DNS issues possible |
Why 2048-bit Is Recommended
Security Considerations
1024-bit RSA keys, while not yet broken, are considered weak by modern standards:
- Computing power continues to increase
- Theoretical attacks are becoming more practical
- Major email providers recommend 2048-bit
- Regulatory frameworks increasingly require stronger keys
In 2012, researchers cracked a 768-bit RSA key. 1024-bit keys may face similar risks as computing advances.
Industry Guidance
Google: Recommends 2048-bit keys Microsoft: Supports up to 2048-bit keys NIST: Recommends migrating away from 1024-bit keys
Checking Your Current Key Length
Method 1: Check DNS Directly
Look up your DKIM public key:
dig +short TXT selector._domainkey.example.com
The p= value contains the public key. You can decode it to determine the length.
Method 2: Use a DKIM Checker Tool
Online DKIM checkers typically report key length as part of their analysis.
Method 3: Count the Key Characters
A rough estimate:
- 1024-bit key: ~216 characters in the p= value
- 2048-bit key: ~392 characters in the p= value
How to Check Key Length from a Record
A 1024-bit key looks like:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
A 2048-bit key looks like:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
The 2048-bit key's p= value is roughly twice as long.
Upgrading to 2048-bit Keys
Generate new 2048-bit key pair
Create new public/private keys through your email service or manually.
Choose a new selector
Use a new selector name (e.g., 'selector2' if you were using 'selector1').
Publish the new public key
Add the 2048-bit public key as a TXT record at selector._domainkey.example.com.
Update your email system
Configure your mail server or ESP to sign with the new private key and selector.
Test the new configuration
Send test emails and verify DKIM passes with the new key.
Keep old key temporarily
Leave the old selector in DNS for emails still in transit.
Remove old key after transition
After 48-72 hours, remove the old selector from DNS.
DNS Considerations for 2048-bit Keys
TXT Record Length Limits
DNS TXT records have a 255-character limit per string. A 2048-bit DKIM key exceeds this, so it must be split:
selector._domainkey.example.com. IN TXT (
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA"
"key_continues_here..."
"...end_of_key"
)
Most DNS providers handle this automatically, but verify the record is published correctly.
TTL Recommendations
When rotating keys:
- Lower TTL to 300 seconds before the change
- Make the change
- Test thoroughly
- Return TTL to normal (3600+ seconds)
Generating DKIM Keys
Using OpenSSL
Generate a 2048-bit private key:
openssl genrsa -out dkim_private.pem 2048
Extract the public key:
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem
Format for DNS (remove headers and newlines):
openssl rsa -in dkim_private.pem -pubout -outform der 2>/dev/null | openssl base64 -A
Using Your Email Provider
Most ESPs generate keys for you:
Google Workspace:
- Admin Console → Apps → Google Workspace → Gmail → Authenticate email
- Select domain and click "Generate New Record"
- Choose 2048-bit key
Microsoft 365:
- Microsoft 365 Defender → Email & collaboration → Policies
- DKIM
- Create DKIM keys for your domain
Key Rotation Best Practices
Regular key rotation improves security:
Rotation Schedule
- Minimum: Annually
- Recommended: Every 6 months
- Immediately: If compromise is suspected
Rotation Process
- Generate new key with new selector
- Publish new public key
- Start signing with new key
- Allow overlap period (48-72 hours)
- Remove old public key
Selector Naming Conventions
Good practices for selector names:
- Date-based:
jan2025,2025q1 - Sequential:
selector1,selector2 - Descriptive:
google,marketing
Avoid:
- Reusing selectors after removal
- Names that reveal security information
What About 4096-bit Keys?
While 4096-bit keys offer stronger security, they have drawbacks:
Pros:
- Maximum security
- Future-proofed against computing advances
Cons:
- May exceed DNS UDP packet size (512 bytes)
- Some DNS providers have issues with very long records
- Increased signing time
- Limited receiver support
For most organizations, 2048-bit keys provide excellent security without DNS compatibility issues.
Troubleshooting Key Length Issues
"DKIM key too weak"
Some receivers may reject 1024-bit keys:
- Upgrade to 2048-bit
- Test with major providers
"DNS record not found"
For 2048-bit keys, check:
- Record is properly split across strings
- No truncation occurred
- DNS propagation is complete
"DKIM signature failed"
After key rotation:
- Verify selector in signature matches DNS
- Ensure private/public key pair matches
- Check for DNS caching of old record
Check Your DKIM Configuration
Verify your DKIM key length and configuration are up to current security standards.
DKIM key length is a straightforward security improvement. If you're still using 1024-bit keys, plan a migration to 2048-bit. The process is simple, and the security benefits are significant.