Use 2048-bit DKIM keys. 1024-bit keys are technically still accepted but considered weak and will eventually be deprecated. Major providers (Google, Microsoft, Yahoo) recommend or require 2048-bit. The only caveat: some older DNS providers can't handle the longer TXT records—use CNAME records or split TXT strings as a workaround.
DKIM 1024-bit vs 2048-bit: Which Key Length to Use
DKIM Key Length Comparison
| Key Length | Security Status | Recommendation |
|---|---|---|
| 1024-bit | Weak but accepted | Upgrade when possible |
| 2048-bit | Current standard | Use this |
| 4096-bit | Overkill | Not worth the DNS complexity |
Why 2048-bit Is Now Standard
Security Considerations
1024-bit RSA keys are theoretically vulnerable to future attacks. While no practical attacks exist today, the security margin is shrinking.
Google's position: "We recommend using a 2048-bit key. If you're currently using a 1024-bit key, we strongly recommend switching to a 2048-bit key."
Industry consensus: 2048-bit provides security through at least 2030, with comfortable margin.
Provider Requirements
Major email providers now recommend or require 2048-bit:
- Gmail: Recommends 2048-bit, accepts 1024-bit
- Microsoft 365: Uses 2048-bit by default
- Yahoo: Recommends 2048-bit
- Apple: Accepts both, prefers 2048-bit
Future updates may reject 1024-bit signatures entirely.
Practitioner note: I've been advising 2048-bit exclusively since 2020. The "1024-bit still works" argument ignores the direction everything is heading. Set up 2048-bit now and you won't have to touch it for years.
The DNS Record Length Problem
2048-bit public keys are ~390 characters. DNS TXT records have a 255-character limit per string. For a deeper look at this issue, see DKIM key length and DNS limits.
Example 2048-bit DKIM record:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn3t... [390+ characters total]
Solution 1: String Concatenation
DNS allows multiple strings in a TXT record. They're concatenated during lookup:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg" "KCAQEA..."
Most DNS providers handle this automatically. Some require manual splitting.
Solution 2: CNAME Records
Many ESPs offer CNAME-based DKIM:
s1._domainkey.yourdomain.com CNAME s1.domainkey.esp.com
The ESP hosts the actual key. You just point to it. Key length becomes their problem.
Advantages:
- Works regardless of your DNS provider's TXT limits
- ESP handles key rotation automatically
- Simpler DNS management
Solution 3: Change DNS Providers
Modern DNS providers (Cloudflare, Route 53, Google Cloud DNS) handle long TXT records correctly. Legacy providers may not.
Checking Your Current Key Length
Method 1: MXToolbox
- Go to MXToolbox DKIM Lookup
- Enter domain and selector
- Key length is displayed in results
Method 2: dig + OpenSSL
# Get the DKIM record
dig TXT google._domainkey.yourdomain.com +short
# Decode the public key
echo "MIIBIjANBgk..." | base64 -d | openssl rsa -pubin -inform DER -text
The output shows Public-Key: (2048 bit) or (1024 bit).
Method 3: Email Headers
Check a received email's DKIM-Signature:
DKIM-Signature: a=rsa-sha256; ...
The header doesn't show key length directly, but authentication results might indicate if verification used a 1024 or 2048-bit key.
Upgrading from 1024-bit to 2048-bit
Step 1: Generate New Keys
In your ESP dashboard, look for options to generate new DKIM keys. Select 2048-bit.
Google Workspace:
- Admin Console → Apps → Gmail → Authenticate email
- Generate new record
- Select 2048-bit key length
Microsoft 365: Uses 2048-bit by default. Rotate keys if using legacy 1024-bit.
SendGrid/Mailgun/Postmark: Usually 2048-bit by default. Check domain settings.
Step 2: Add New DNS Record
Add the new key with a new selector (or replace existing if selector stays the same).
newkey._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIj..."
Step 3: Update ESP to Use New Key
Switch the ESP to sign with the new selector/key.
Step 4: Verify New Signatures
Send test email, confirm dkim=pass in headers.
Step 5: Remove Old Key (Optional)
After 7+ days (allowing queued mail to deliver), remove the old selector from DNS.
Practitioner note: During key rotation, keep both old and new selectors active for at least a week. Email gets delayed, retried, or cached. Removing too fast breaks verification for mail still in transit.
What About 4096-bit Keys?
4096-bit is excessive for current needs:
Problems:
- Even longer DNS records (harder to manage)
- Slower cryptographic operations (minimal but non-zero)
- No practical security benefit over 2048-bit for email signing
When it might matter:
- Post-quantum cryptography concerns (far future)
- Ultra-high-security environments with regulatory requirements
For normal email, 2048-bit is sufficient and recommended.
ESP Key Length Defaults
| ESP | Default Key Length | Configurable? |
|---|---|---|
| Google Workspace | 2048-bit | Yes (can generate 1024) |
| Microsoft 365 | 2048-bit | No |
| SendGrid | 2048-bit | No |
| Mailgun | 2048-bit | No |
| Postmark | 2048-bit | No |
| Mailchimp | 2048-bit | No |
Most modern ESPs default to 2048-bit. If yours offers 1024-bit, choose 2048-bit during setup.
For the full DKIM setup process, see the DKIM setup guide. For CNAME vs TXT record considerations, see DKIM CNAME vs TXT. If you need help upgrading DKIM keys or managing rotation across multiple ESPs, schedule a consultation.
Sources
- RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
- Google: Turn on DKIM for your domain
- NIST: Key Management Guidelines
- Microsoft: Use DKIM for email
v1.0 · March 2026
Frequently Asked Questions
Should I use 1024-bit or 2048-bit DKIM keys?
Use 2048-bit. It's the current standard, recommended by Google and Microsoft, and provides adequate security. 1024-bit is theoretically crackable and will eventually be rejected by major receivers.
Why do some ESPs still offer 1024-bit keys?
Backward compatibility with older DNS providers that have TXT record length limits. 2048-bit keys exceed 255 characters, requiring string concatenation or CNAME records. Some ESPs default to 1024-bit for compatibility.
Will 1024-bit DKIM keys stop working?
Not immediately, but security is weakening over time. Major providers may eventually reject 1024-bit signatures. Google already recommends 2048-bit and will likely mandate it in the future.
My DNS provider won't accept my 2048-bit key—what do I do?
Use CNAME records instead of TXT (if your ESP supports it), split the key into multiple DNS strings, or switch DNS providers. Modern providers like Cloudflare handle long TXT records fine.
Does longer key length affect email delivery speed?
Negligibly. The cryptographic operations are fast enough that key length doesn't impact delivery time in any practical way.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.