Why defend DKIM key size and what key sizes do ESP's support?

Key findings

• Current status: Many ESPs default to 1024-bit DKIM keys, with some offering 2048-bit as an advanced or API-only option, such as SparkPost.
• Security adequacy: As of now, 1024-bit DKIM keys have no known successful collision attacks and are not officially deprecated, meaning they still provide sufficient security for most email authentication purposes.
• Industry trend: There's a general push towards larger key sizes (e.g., 2048-bit) in the broader cybersecurity landscape for stronger encryption.
• Perceived security: Customers, especially those with stringent internal security policies, may demand 2048-bit keys, aligning with perceptions of best practices for cryptographic strength.

Key considerations

• ESP capabilities: Verify your ESP's actual support for 2048-bit DKIM keys, as it may be hidden in API documentation or not available for specific sending methods (e.g., cloud versus on-premise). This is a critical part of evaluating ESP capabilities.
• Implementation complexity: Implementing 2048-bit keys can sometimes require multiple DNS TXT record strings, which might introduce a slightly higher, though generally negligible, chance of receiver-side errors.
• Resource allocation for ESPs: For ESPs, supporting larger key sizes involves substantial development effort, including updating software platforms, UIs, and documentation, which is not a trivial task at scale.
• Communicating security posture: When facing customer demands, it's essential to clearly articulate that 1024-bit keys remain cryptographically sound and widely accepted for email authentication, as part of your overall email authentication best practices. Mailjet's article on DKIM 1024 vs 2048 provides further insights.

Key opinions

• Customer driven requests: Many requests for 2048-bit keys come from customer-side internal security requirements, even if 1024-bit is technically sufficient.
• ESP support variance: ESPs like SparkPost and Sendgrid often default to 1024-bit, with 2048-bit being an option that is sometimes buried in API documentation rather than the UI.
• Roadmap perspective: When unable to support larger keys immediately, suggesting that it's on the product roadmap for larger key sizes can be a way to manage customer expectations.
• Hidden configuration: Some ESPs might support 2048-bit keys via non-obvious configurations, such as specific API parameters, highlighting the need for thorough investigation.

Key considerations

• Addressing security concerns: Be prepared to educate customers that 1024-bit keys are still robust and widely accepted, with no known vulnerabilities in practical use. This ties into broader DKIM troubleshooting and understanding the cryptographic strength of your DKIM selectors.
• Managing expectations: For product managers and marketers, it is crucial to manage customer expectations regarding key size capabilities, especially when limited by upstream providers.
• Advocating for updates: Pushing ESPs to clarify their roadmap for 2048-bit (or larger) key support can help align with future security demands.
• Weighing trade-offs: While 2048-bit keys offer theoretical benefits, marketers should consider the practical implications, such as potential minor increase in DNS TXT record errors, as mentioned in Twilio's insights on 2048-bit DKIM keys.

Key opinions

• Security vs. practicality: Experts affirm that 1024-bit DKIM keys are not deprecated and have no known successful collision attacks in the wild, making them functionally secure for current email authentication.
• Development effort: The primary reason an ESP might not support 2048-bit keys is the substantial development work needed to integrate it across their platform, UI, and support systems, not just the underlying MTA.
• MTA support: Underlying MTAs like PowerMTA and Momentum are generally capable of supporting 2048-bit keys; the limitation often lies in the ESP's specific cloud implementation or product strategy.
• Managing customer demands: Some experts suggest managing customer expectations by communicating that larger key support is on the roadmap, alongside other advancements like Ed25519.

Key considerations

• DNS record complexity: While 2048-bit keys might require multiple DNS TXT record strings, the chance of receiver errors due to this is considered non-zero but generally minor by experts.
• Key rotation implications: The choice of key size also impacts DKIM key rotation strategies and managing email reputation effectively.
• Troubleshooting temperror: Understanding how different key sizes might affect DKIM temporary errors is important for maintaining deliverability.
• Future-proofing: While 1024-bit is currently acceptable, a proactive approach for ESPs includes planning for higher key sizes to align with evolving security standards and customer demands. Spamresource often discusses evolving email security practices.

Key findings

• RFC recommendations: While DKIM RFCs do not explicitly mandate 2048-bit keys, they align with general cryptographic best practices that favor larger key sizes for long-term security.
• Industry best practices: Many industry guides recommend 2048-bit keys for new DKIM implementations due to increased cryptographic strength and future-proofing against computational advances.
• Deprecation status: 1024-bit keys are not currently deprecated by major email service providers or authentication standards, but their cryptographic lifespan is naturally shorter than 2048-bit keys.
• Focus on authentication integrity: Documentation consistently stresses the importance of correctly configured DKIM, SPF, and DMARC records to ensure email authentication passes, regardless of key size, for successful email delivery.

Key considerations

• Migration planning: Organizations should have a plan for eventually migrating to 2048-bit keys or larger, even if 1024-bit is currently sufficient, as part of their long-term security strategy.
• Interoperability: Ensure that your chosen ESP and the receiving mail servers widely support the DKIM key size you implement to avoid authentication failures. This is a core part of understanding the interplay of email authentication protocols.
• DMARC integration: Proper DKIM signing, regardless of key size, is crucial for DMARC alignment. Misconfigurations can lead to DMARC failures, affecting deliverability. Key considerations for DMARC implementation also apply here.
• Compliance requirements: Some industries or organizations may have specific compliance requirements that mandate stronger encryption, influencing the choice of DKIM key size. Hostinger's tutorial on what is a DKIM record touches on best practices.