When setting up DKIM (DomainKeys Identified Mail), one of the most common questions I get is about which cryptographic settings to use. DKIM is a critical email authentication protocol that acts like a digital signature, verifying that an email was actually sent from the domain it claims to be from and that its contents haven't been altered in transit. Getting the configuration right, especially the algorithm and key length, is fundamental to your domain's security and email deliverability.
The choice isn't just a technical detail; it directly impacts how well you are protected against phishing and spoofing attacks. Let's break down the current best practices for DKIM keys to ensure your emails are secure and trusted by receivers like Google and Microsoft.
The recommended signing algorithm
The most widely supported and recommended signing algorithm for DKIM is rsa-sha256. This is the industry standard that provides a strong balance of security and compatibility. It combines two different cryptographic functions:
- RSA (Rivest-Shamir-Adleman): This is the algorithm used to generate the public and private key pair. The private key signs the email, and the public key, published in your DNS, is used by recipient servers to verify the signature.
- SHA-256 (Secure Hash Algorithm 256-bit): This is the hashing algorithm. It creates a unique, fixed-size digital fingerprint of your email's content and headers. This hash is what gets encrypted with your private key.
While other algorithms exist, rsa-sha256 is almost universally supported and provides the security needed for modern email communication.
The key to security: why 2048-bit length matters
Just as important as the algorithm is the length of your DKIM key. For a long time, 1024-bit keys were the standard. However, as computing power has advanced, these shorter keys have become more vulnerable. The current industry best practice is to use 2048-bit RSA keys.
A 2048-bit key is exponentially more difficult to crack than a 1024-bit key. This significantly increases the security of your email signing process, making it much harder for malicious actors to forge a valid signature for your domain. Using a 2048-bit key is about future-proofing your email security. While some senders still use 1024-bit keys, the migration to 2048-bit is well underway, and it's what major mailbox providers now expect to see.
Putting it into practice: implementing stronger DKIM
Upgrading to a 2048-bit DKIM key is a straightforward process, but it requires careful execution. Here is what I advise:
First, you need to check if your DNS provider supports the long text strings required for 2048-bit keys. Most modern providers do, but some older systems might have limitations. Your email sending service (like an ESP) should provide you with the option to generate a 2048-bit key. Once you have the new public key, you will publish it as a TXT record in your domain's DNS.
Finally, it's a good idea to get into the habit of rotating your DKIM keys periodically, perhaps once or twice a year. This is a security best practice that limits the window of opportunity for an attacker if a key were ever to be compromised.
Final thoughts
To sum up, the recommended DKIM setup is a 2048-bit key using the rsa-sha256 algorithm. This configuration offers robust security against forgery and is the current standard favored by mailbox providers worldwide. Implementing this not only protects your brand's reputation but is also a key factor in achieving strong email deliverability.
What DNS record type is used for DKIM?
What DKIM tag indicates the algorithm used for signing?
What is the maximum recommended key length for DKIM?
What DKIM tag defines the canonicalization algorithm?
What DKIM tag is used to specify the public key?
Does DKIM use a symmetric or asymmetric cryptographic system?
