When setting up DKIM (DomainKeys Identified Mail), one of the most common questions I get is about which cryptographic settings to use. DKIM is a critical email authentication protocol that acts like a digital signature, verifying that an email was actually sent from the domain it claims to be from and that its contents haven't been altered in transit. Getting the configuration right, especially the algorithm and key length, is fundamental to your domain's security and email deliverability.
The choice isn't just a technical detail; it directly impacts how well you are protected against phishing and spoofing attacks. Let's break down the current best practices for DKIM keys to ensure your emails are secure and trusted by receivers like Google and Microsoft.
The most widely supported and recommended signing algorithm for DKIM is rsa-sha256. This is the industry standard that provides a strong balance of security and compatibility. It combines two different cryptographic functions:
While other algorithms exist, rsa-sha256 is almost universally supported and provides the security needed for modern email communication.
Just as important as the algorithm is the length of your DKIM key. For a long time, 1024-bit keys were the standard. However, as computing power has advanced, these shorter keys have become more vulnerable. The current industry best practice is to use 2048-bit RSA keys.
A 2048-bit key is exponentially more difficult to crack than a 1024-bit key. This significantly increases the security of your email signing process, making it much harder for malicious actors to forge a valid signature for your domain. Using a 2048-bit key is about future-proofing your email security. While some senders still use 1024-bit keys, the migration to 2048-bit is well underway, and it's what major mailbox providers now expect to see.
Upgrading to a 2048-bit DKIM key is a straightforward process, but it requires careful execution. Here is what I advise:
First, you need to check if your DNS provider supports the long text strings required for 2048-bit keys. Most modern providers do, but some older systems might have limitations. Your email sending service (like an ESP) should provide you with the option to generate a 2048-bit key. Once you have the new public key, you will publish it as a TXT record in your domain's DNS.
Finally, it's a good idea to get into the habit of rotating your DKIM keys periodically, perhaps once or twice a year. This is a security best practice that limits the window of opportunity for an attacker if a key were ever to be compromised.
To sum up, the recommended DKIM setup is a 2048-bit key using the rsa-sha256 algorithm. This configuration offers robust security against forgery and is the current standard favored by mailbox providers worldwide. Implementing this not only protects your brand's reputation but is also a key factor in achieving strong email deliverability.
What DNS record type is used for DKIM?
What DKIM tag indicates the algorithm used for signing?
What is the maximum recommended key length for DKIM?
What DKIM tag defines the canonicalization algorithm?
What DKIM tag is used to specify the public key?
Does DKIM use a symmetric or asymmetric cryptographic system?