Summary
While 1024-bit DKIM keys are currently considered secure and meet the DKIM standard's minimum requirement, there is a growing consensus that 2048-bit keys offer a greater security margin against potential attacks. Most ESPs support both, however, there are cases where some older systems may not support the larger key size. There are different opinions on the level of increased security and the need to balance security with compatibility. Implementing larger key sizes should be balanced with interoperability and industry best practices to show a commitment to security. ESP support varies, and while some default to 1024-bit keys, they often encourage upgrading to 2048-bit.
Key findings
- Enhanced Security: 2048-bit keys provide more robustness against potential attacks than 1024-bit keys. This is generally recommended for enhanced long-term security.
- Industry Trend: A trend to move towards 2048-bit keys is being observed aligning with industry best practices and compliance. There is a general recommendation for more robust standards for domain security.
- ESP Support: Many ESPs support both 1024-bit and 2048-bit. However, implementation and default settings may vary.
Key considerations
- Compatibility Issues: Ensure compatibility with older systems, as 2048-bit keys may not be supported universally.
- Implementation Complexity: Implementing 2048-bit keys might require DNS record and ESP configuration updates. Proper testing is vital to ensure proper implementation.
- Balancing Security: Balance enhanced security with practical requirements of deliverability. Not all receivers may benefit from increased key size and might cause issues for senders.
What email marketers say
14 marketer opinions
The consensus is that while 1024-bit DKIM keys are currently considered secure, 2048-bit keys offer a larger security margin against potential cryptographic attacks and are increasingly recommended. Most major ESPs support both, with some defaulting to 1024-bit but encouraging or allowing upgrades to 2048-bit. Compatibility with older systems and internal security policies are important factors to consider.
Key opinions
- Security: 2048-bit DKIM keys offer enhanced security compared to 1024-bit keys, providing better protection against brute-force attacks and key compromise.
- ESP Support: Many ESPs support both 1024-bit and 2048-bit DKIM keys, including SparkPost, SendGrid, and Mailgun. Some default to 1024-bit but offer 2048-bit as an option.
- Best Practice: While 1024-bit is still acceptable, the trend is towards recommending 2048-bit for future-proofing and alignment with evolving security standards.
Key considerations
- Compatibility: Some older email clients and servers may not fully support 2048-bit DKIM keys, potentially causing issues with email delivery. Testing is crucial.
- Security Policies: Internal security policies within organizations may dictate a minimum DKIM key size of 2048-bit, regardless of current cryptographic vulnerabilities.
- Implementation: Implementing 2048-bit keys might require updates to DNS records and configurations within ESP platforms. Proper setup and testing are vital.
Marketer view
Email marketer from AuthSMTP shares that both 1024-bit and 2048-bit are acceptable but some older systems might not work with larger keys so you may need to use 1024 bit. They also mention that it is down to the individual companies security policy.
1 Feb 2022 - AuthSMTP
Marketer view
Email marketer from expert.ai explains that DKIM key length is the size (in bits) of the cryptographic key used to sign email messages. A longer key length provides stronger security but may not be supported by all email providers.
30 May 2023 - expert.ai
What the experts say
2 expert opinions
Experts suggest that while 2048-bit DKIM keys offer improved security, the practical benefits over 1024-bit keys might be minimal in some situations. Defending a specific key size involves balancing security enhancements with the need for compatibility across different email systems. Alignment with industry best practices and demonstrating a commitment to security also contribute to defending the choice of a larger key.
Key opinions
- Security vs. Practicality: While larger key sizes are generally more secure, the real-world impact compared to smaller keys might be limited in certain contexts.
- Compliance: Defending the larger key size is not always about the enhanced security, but alignment with industry best practices to demonstrate security awareness.
Key considerations
- Compatibility: Ensure that the chosen key size is supported by all receiving systems to avoid deliverability issues. Not all systems support 2048 bit.
- Interoperability: Balance the need for enhanced security with the practical requirements of ensuring seamless email delivery across diverse platforms.
Expert view
Expert from Word to the Wise, in the context of a comment, explains that choosing key size requires considering compatibility, noting that while 2048-bit keys offer better protection, they may not be supported by all receiving systems. "Defending" a choice involves balancing security with practical interoperability.
26 Oct 2024 - Word to the Wise
Expert view
Expert from SpamResource shares that while larger DKIM key sizes (2048-bit) are generally recommended for improved security, the practical benefits over 1024-bit keys might be minimal in certain contexts. The primary reason to 'defend' it would be to align with industry best practices and demonstrate a commitment to security.
30 Apr 2024 - SpamResource
What the documentation says
3 technical articles
DKIM documentation suggests a move towards stronger key lengths. The DKIM standard specifies a minimum of 1024 bits. Implementation guides, such as OpenDKIM and Google Workspace Admin Help, recommend 2048-bit keys for enhanced long-term security and compliance.
Key findings
- Minimum Standard: The DKIM standard (RFC Editor) suggests using at least 1024-bit keys.
- Recommendation: OpenDKIM recommends generating 2048-bit keys for signing.
- Security Enhancement: Google Workspace Admin Help advocates using 2048-bit keys to improve domain security.
Key considerations
- Long-term Security: Larger keys are recommended for long-term security to ensure compliance with evolving security standards.
- Compliance: Using 2048-bit keys assists with compliance to meet current security standards.
Technical article
Documentation from RFC Editor, the DKIM standard, specifies that key lengths of at least 1024 bits SHOULD be used with RSA. It doesn't explicitly forbid shorter keys but implies they are less secure and future-proof.
27 May 2023 - RFC Editor
Technical article
Documentation from Google Workspace admin help recommends using a 2048-bit DKIM key as this increases your domain's security.
25 Aug 2022 - Google Workspace Admin Help
Are people using 4096-bit DKIM keys, and what is the recommended DKIM key length?
Do DKIM selectors affect email reputation?
Does rotating DKIM keys improve email deliverability and how should DKIM keys be rotated?
How do I find the DKIM selector for my domain in Dmarcian or Hubspot?
How should DKIM selector names be interpreted and what is the recommended DKIM key size?
What are the pros and cons of 1024-bit vs 2048-bit DKIM keys?
