Summary
The consensus is that while 1024 bits is the minimum supported DKIM key length, 2048 bits is the recommended standard for security and performance. Some experts and marketers are using and advocating for 4096-bit keys for enhanced future-proof security, but the practical benefits beyond 2048 bits are debated. Proper implementation and provider support are crucial factors. The appropriate key length can also depend on the size and security needs of the business.
Key findings
- Minimum Length: 1024 bits is the minimum supported DKIM key length, per RFC specifications.
- Recommended Length: 2048 bits is the most commonly recommended DKIM key length for balancing security and performance, as supported by Cloudflare, Google, and DKIM Wizard.
- Emerging Trend: 4096-bit keys are being adopted for enhanced security and future-proofing against computational advancements.
- Security vs. Practicality: While longer keys enhance security, the incremental benefit beyond 2048 bits may be limited for many senders.
Key considerations
- Provider Support: Verify that your email service provider supports key lengths exceeding 2048 bits before implementing them.
- Implementation Quality: Prioritize proper DKIM implementation and monitoring over solely relying on longer key lengths.
- Business Needs: Consider your organization's size and security requirements when selecting a DKIM key length; smaller businesses may find 1024 bits sufficient, while larger businesses may need 2048 bits or higher.
What email marketers say
8 marketer opinions
The discussion around DKIM key lengths reveals a range of perspectives, from the practical minimum of 1024 bits to the increasingly prevalent use of 4096-bit keys. While some marketers highlight the enhanced security offered by longer keys like 2048 bits or greater, others suggest that 2048 bits strikes a balance between security and performance. Some also point out that the right key length depends on the size of the business.
Key opinions
- Minimum Recommendation: 1024-bit keys are considered a practical minimum for DKIM to prove legitimacy, though longer keys are generally recommended.
- Common Practice: 2048-bit key length is the most common and offers a good balance between security and performance.
- Growing Trend: 4096-bit keys are becoming increasingly prevalent due to heightened security concerns.
- Security Benefit: Increasing the DKIM key length improves security and protection against cryptographic attacks.
Key considerations
- Provider Support: Check with your email service provider regarding support for key sizes greater than 2048 bits.
- Business Size: Smaller businesses might find 1024 bits sufficient, while larger businesses might opt for 2048 bits.
- Performance Impact: Consider the balance between security and performance when choosing a DKIM key length.
Marketer view
Email marketer from AuthSMTP says that 2048-bit key length is the most common and offers a good balance between security and performance.
11 Jan 2024 - AuthSMTP
Marketer view
Email marketer from MXToolbox shares that increasing the DKIM key length improves security, advising users to check with their provider regarding support for key sizes greater than 2048 bits.
27 May 2025 - MXToolbox
What the experts say
2 expert opinions
Experts suggest that while longer DKIM keys offer greater security, there's a point of diminishing returns. 1536 bits is considered sufficient against brute force attacks, and the RFC requires support for 2048-bit keys. Exceeding 2048 bits may not provide significant practical benefits for most senders, making proper implementation and monitoring more crucial than solely relying on key length.
Key opinions
- Sufficient Length: 1536 bits is long enough to protect against brute force attacks.
- RFC Requirement: The RFC requires support for 2048-bit DKIM keys.
- Diminishing Returns: The practical benefits of exceeding 2048 bits are debatable for most email senders.
Key considerations
- Implementation: Proper implementation and monitoring are more crucial than solely relying on key length.
- Practical Benefits: Assess whether the increased security of longer keys justifies the added complexity.
Expert view
Expert from Word to the Wise explains that while longer keys offer greater security, the practical benefits of exceeding 2048 bits are debatable for most email senders. They emphasize the importance of proper implementation and monitoring over solely relying on key length.
2 Feb 2024 - Word to the Wise
Expert view
Expert from Email Geeks explains that 1536 bits is long enough for brute force attacks and the RFC requires 2048 bit keys to be supported, anything longer is implementation defined.
19 Jun 2023 - Email Geeks
What the documentation says
4 technical articles
Documentation across various sources indicates a consensus that the recommended DKIM key length is 2048 bits to meet modern security standards and prevent signature forgery. While the minimum supported key length is 1024 bits, using longer keys is generally advised for enhanced security.
Key findings
- Recommended Size: The recommended DKIM key size is 2048 bits.
- Security Standard: 2048-bit keys meet modern security standards.
- Minimum Size: The minimum supported DKIM key length is 1024 bits.
- Enhanced Security: Longer keys offer enhanced security benefits.
Key considerations
- Implementation: Ensure your DKIM key is at least 2048 bits for optimal security.
- Key Rotation: Consider implementing key rotation for added security.
Technical article
Documentation from ietf.org defines that implementations MUST support a minimum key length of 1024 bits. It also recommends using longer keys where possible, noting the security benefits.
27 Jun 2022 - ietf.org
Technical article
Documentation from Google says that the DKIM key should be 2048 bits if possible to meet modern security standards.
6 Nov 2023 - Google Workspace Admin Help
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do DKIM selectors affect email reputation?
Does rotating DKIM keys improve email deliverability and how should DKIM keys be rotated?
How can I find the source and purpose of emails originating from unrecognized IP addresses?
How can you deduce inbox placement metrics using per-ISP open rates and manage bot opens?
How do I find the DKIM selector for my domain in Dmarcian or Hubspot?
How do I generate an a=rsa-sha256 key for DKIM?
How should DKIM selector names be interpreted and what is the recommended DKIM key size?
