How should DKIM selector names be interpreted and what is the recommended DKIM key size?

Key findings

• Selector interpretation: Many organizations incorporate dates (e.g., '201802', 's=2023') or key strengths (e.g., 's1024') into their DKIM selector names. This common practice provides a quick visual cue regarding when a key was generated or its cryptographic strength.
• Key rotation significance: Keys should be rotated periodically to maintain security. An older selector name, such as one indicating a 2018 creation date, suggests a key that has not been rotated in several years, potentially exposing the domain to cryptographic vulnerabilities over time. For more on this, see DKIM key rotation best practices.
• Recommended key size: The industry standard and recommended minimum for DKIM keys is 2048-bit RSA. While 1024-bit keys were once common, they are now considered less secure. Most email service providers and mailbox providers fully support 2048-bit keys.
• Emerging key sizes: Although 2048-bit is current best practice, there is a growing movement toward even larger keys, such as 4096-bit RSA, for enhanced cryptographic strength. RFC 8301, published in 2018, outlined updates to DKIM requirements, including cryptographic algorithm and key size recommendations. For more details, consult the RFC 8301 documentation.

Key considerations

• Selector naming strategy: While selectors can be arbitrary strings, adopting a consistent naming convention that includes dates or key strengths can simplify management and troubleshooting. See our guide to DKIM selector name examples.
• Regular key rotation: Implement a routine for rotating your DKIM keys. Even if selectors don't explicitly indicate age, regular rotation is a fundamental security practice to mitigate risks associated with potential key compromises.
• Optimize for security and compatibility: Aim for a 2048-bit DKIM key length as the minimum. While 4096-bit keys offer superior security, ensure compatibility with your email infrastructure and recipient mailbox providers before deployment. Consider the pros and cons of 1024-bit vs 2048-bit DKIM keys.
• DMARC integration: Pairing DKIM with a strong DMARC policy (p=quarantine or p=reject) is crucial. Even if a DKIM key is old, a robust DMARC policy can still protect against spoofing, although an unrotated key represents a potential weak point. Find more in A simple guide to DMARC, SPF, and DKIM.

Key opinions

• Selector naming preferences: Many marketers use date-based selectors for clarity, making it easy to track when keys were created or last updated. Others may use more abstract or fun names, assuming the specific naming convention has minimal practical impact on deliverability.
• Rotation frequency: There's a recognized benefit to rotating keys regularly, even if the rotation period varies from every few months to every few years, to enhance security. This practice helps to improve email deliverability rates.
• Embracing 2048-bit keys: Many marketers are actively upgrading their DKIM keys to 2048-bit, recognizing it as the current recommended standard for stronger encryption and improved security posture.
• Beyond 2048-bit: While 4096-bit keys are acknowledged as offering greater security, there's some uncertainty among marketers regarding widespread acceptance by all mailbox providers and the immediate necessity for such a large key size.

Key considerations

• Balancing clarity and security: Marketers should consider selector names that provide clear organizational benefit, such as indicating creation date or key purpose, without compromising the underlying cryptographic security.
• Proactive key management: It is beneficial for marketers to adopt a proactive approach to DKIM key rotation, even if it's every couple of years, to mitigate potential security vulnerabilities and maintain email trust. For more, learn why DKIM key rotation is recommended.
• Adopting current standards: Prioritize using 2048-bit DKIM keys to align with current industry best practices and enhance email security and deliverability. This is often highlighted as a key factor in email deliverability issues.
• Understanding ESP capabilities: Verify with your email service provider (ESP) what DKIM key sizes they support, especially if considering keys larger than 2048-bit, to ensure seamless implementation.

Key opinions

• Literal interpretation of selectors: Experts largely agree that if a DKIM selector contains a date (e.g., '201802'), it should be interpreted as the creation or last rotation date of that key. This implies a need for regular rotation if the date is old.
• ESP naming conventions: Some ESPs employ specific naming conventions for selectors that include both date and key strength (e.g., 's1024-2013-q3'), providing clear information about the key's attributes.
• 2048-bit as the minimum: The expert consensus firmly establishes 2048-bit as the minimum recommended key size for DKIM to ensure adequate security against cryptographic attacks.
• Future of 4096-bit keys: While 4096-bit keys are seen as a desirable goal for future-proofing, experts note that they were formally allowed by RFC 8301 in 2018. However, their current widespread adoption by mailbox providers is still evolving.

Key considerations

• Avoid ambiguity in selectors: While selectors can be arbitrary, experts suggest avoiding overly obscure or humorous names that could hinder quick identification or troubleshooting in a production environment. For further guidance, read How to find DKIM record without selector.
• Prioritize 2048-bit adoption: Organizations should actively work to upgrade any 1024-bit DKIM keys to 2048-bit to meet current security recommendations and improve inbox placement. Our article Are 2048-bit DKIM keys well accepted by ISPs? provides more detail.
• Plan for larger keys: While not universally required yet, consider laying the groundwork for eventual adoption of 4096-bit keys as cryptographic standards continue to evolve. This involves assessing infrastructure capabilities and monitoring industry acceptance.
• Continuous monitoring: Experts advise ongoing monitoring of DKIM validation, particularly for older keys, to ensure they remain functional and are not causing authentication failures that could lead to emails being sent to spam or even a blocklist.

Key findings

• Selector definition: The DKIM specification (RFC 6376) describes selectors as a mechanism to permit the presence of multiple keys on a domain. This flexibility is essential for scenarios like key rotation or using different sending systems.
• Key size recommendations: RFC 6376 implicitly acknowledged key length as a factor for verifier policies. More recently, RFC 8301 specifically addresses cryptographic algorithm and key usage updates for DKIM, indicating that older requirements are functionally obsolete.
• Modern cryptographic standards: RFC 8301 updates DKIM requirements to meet 'minimally suitable' standards for current algorithms, which generally implies a move towards larger, stronger keys like 2048-bit and the possibility of 4096-bit.
• Importance of key rotation: While RFCs don't mandate specific rotation frequencies, the continuous updates to cryptographic recommendations imply that keys, and thus selectors, should be rotated to maintain optimal security.

Key considerations

• Adherence to current RFCs: Organizations should ensure their DKIM implementations align with the latest RFCs, particularly RFC 8301, to leverage updated cryptographic best practices and strengthen email security. This will help defend your DKIM key size.
• Regular key reviews: Review DKIM key sizes periodically, especially if using older configurations, to ensure they meet modern security standards. Mailjet's guidance on 1024 vs 2048-bit keys is a valuable resource.
• Understanding selector purpose: Recognize that selectors are primarily a mechanism for key management and rotation, as outlined in technical documentation like DuoCircle's explanation, rather than a security feature in themselves.
• Future-proofing: While 2048-bit is current, be aware of the ongoing evolution of cryptographic standards and the potential future need for larger key sizes like 4096-bit, as hinted by updates in RFCs. For more information, refer to Are people using 4096-bit DKIM keys?.