How to sign DKIM with a 2048 bit key in Mailjet?

Key findings

• Support assistance: Mailjet typically requires users to contact their support team to facilitate the change to a 2048-bit DKIM key, as direct self-service options may not be available. Mailjet addresses 1024-bit versus 2048-bit keys.
• Increased security: A 2048-bit DKIM key offers a higher level of cryptographic security compared to a 1024-bit key, making it more resistant to brute-force attacks and enhancing email authenticity. You can read about the pros and cons of different DKIM key sizes.
• DNS complexity: Managing longer 2048-bit public keys in DNS can be more complex due to potential character limits in TXT records, often requiring the record to be split into multiple strings.
• DNS tool evolution: Modern DNS management tools are generally equipped to handle 2048-bit keys, despite previous limitations where web interfaces lagged in supporting the longer record sizes.
• Identification: It is important to quickly identify your DKIM key length to ensure proper configuration and security.

Key considerations

• DNS provider support: Before attempting to set up a 2048-bit DKIM key, ensure your specific DNS provider supports longer TXT records or the necessary splitting method.
• Testing is crucial: When implementing a new DKIM key, particularly with a larger size, thorough testing on internal domains or a pilot basis is recommended before rolling it out to production or client domains.
• DNS record splitting: Be prepared to split the DKIM TXT record into two or more parts if your DNS provider has character limits for individual strings, ensuring proper concatenation for the public key. For example, AWS knowledge center describes resolving string too long errors.
• Coordination with ESP: Maintain clear communication with your Email Service Provider's (ESP) support team throughout the process to ensure their systems are configured to sign emails with the new 2048-bit key.
• Impact on deliverability: Incorrectly configured DKIM records can lead to deliverability issues, including emails landing in spam folders or being rejected. Always verify proper setup.

Key opinions

• ESP dependency: Many marketers believe that upgrading to a 2048-bit DKIM key is largely dependent on the ESP's (Mailjet, in this case) willingness and capability to provide this option through their support channels.
• DNS challenge: The primary concern for marketers is not the theoretical benefit of a 2048-bit key but the practical difficulty of configuring it within various DNS management interfaces, especially for those less familiar with such technicalities.
• Security priority: There's a strong desire among marketers to enhance email security (via DKIM key length) to bolster trust and improve deliverability, even if it means navigating technical complexities.
• Gradual rollout: It is preferred to test any changes to DKIM keys internally or on controlled domains before wider deployment to client accounts to prevent unforeseen issues.
• Authentication basics: Understanding DMARC, SPF, and DKIM is crucial for effective email marketing.

Key considerations

• Client management: For agencies or marketers managing multiple client accounts, the process of implementing 2048-bit DKIM keys can be especially challenging if clients lack technical expertise or direct DNS control.
• Avoiding disruption: The primary goal is to enhance security without inadvertently causing deliverability issues. This requires careful planning and execution.
• DNS interface limitations: Some older or less sophisticated DNS interfaces might not handle the longer 2048-bit DKIM TXT records gracefully, necessitating manual splitting or workarounds.
• Key rotation implications: Marketers should consider the implications of key rotation when using larger keys.

Key opinions

• ESP role: Experts confirm that ESPs like Mailjet are typically responsible for generating and allowing the implementation of 2048-bit DKIM keys through their support channels, rather than direct user control. ESPs often defend their key size decisions.
• DNS handling: Modern DNS management tools have largely caught up to the demand for 2048-bit keys, often managing the splitting of larger TXT records automatically, which was a significant pain point previously.
• Security best practice: 2048-bit keys are considered a superior security practice and are increasingly becoming the recommended standard for strong email authentication.
• Authentication standards: There's a growing expectation that 2048-bit DKIM keys will become a more common requirement, aligning with stricter email authentication policies. Discover if 2048-bit DKIM keys are becoming new email authentication requirements.

Key considerations

• Preventing issues: Even with advanced DNS tools, careful verification of the DKIM record after creation is essential to prevent validation failures or errors like DKIM temperror.
• DNS record size: While 2048-bit keys are larger, most DNS providers can handle them, either directly or by automatically concatenating split strings. It is recommended to follow best practices for 2048-bit DKIM keys.
• Ongoing monitoring: After implementing a 2048-bit DKIM key, continuous monitoring of email deliverability and DMARC reports is vital to ensure proper functionality and address any unforeseen issues.
• Legacy systems: While most systems are updated, some older mail servers or DNS resolvers might occasionally encounter issues with longer DKIM records, which is a rare but possible scenario.

Key findings

• Standard recommendation: Many security best practices documents recommend 2048-bit keys over 1024-bit for stronger cryptographic protection against evolving threats.
• TXT record limitations: DNS specifications allow TXT records to be long, but individual string literals within them often have character limits (e.g., 255 characters). 2048-bit DKIM keys usually exceed this, necessitating splitting.
• Splitting mechanism: To accommodate longer keys, the public key value should be enclosed in multiple sets of double quotation marks within a single TXT record. DNS resolvers will then concatenate these strings. Failure to do so can cause invalid RSA public key errors.
• No demand issue: Historically, DNS interfaces were slow to support 2048-bit keys because there wasn't a widespread demand for them. This has changed, leading to better support now.

Key considerations

• Format precision: When splitting, ensure there's no space between the closing quote of one string and the opening quote of the next, unless explicitly intended for concatenation. A single space between quoted strings is standard for concatenation in DNS.
• Provider-specific instructions: Always refer to your DNS provider's specific documentation for how they handle long TXT records. Some providers may have unique interface requirements or automated splitting features.
• Key generation: The ESP will generate the 2048-bit key. You can find out how to generate a DKIM key if needed for other contexts.
• Impact on DNS lookup limits: While DKIM records themselves don't typically impact the 10-lookup SPF limit, ensuring the TXT record for DKIM is correctly formed prevents unnecessary DNS queries or validation failures.