DKIM 2048-bit keys produce TXT record values around 400 characters, exceeding the 255-character DNS string limit. DNS supports splitting TXT records into multiple strings, and most providers handle this automatically. If your provider doesn't, you'll need to manually split the value or use CNAME delegation instead of a direct TXT record.
DKIM Key Length and DNS TXT Record Limits
The 255-Character String Limit
DNS TXT records have a per-string limit of 255 characters. A 1024-bit DKIM key produces a value around 200 characters — it fits in one string. A 2048-bit key produces around 400 characters — it doesn't.
The fix: DNS allows multiple strings in a single TXT record. The receiving server concatenates them. This looks like:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
"...remainder of key..."
Most DNS providers split long values automatically when you paste them. Some don't — that's when problems start.
How Different Providers Handle It
| Provider | Auto-splits? | Notes |
|---|---|---|
| Cloudflare | Yes | Handles it transparently |
| Route 53 | Yes | Enter the full value, AWS splits it |
| GoDaddy | Sometimes | Older interface has issues, new interface works |
| Namecheap | Yes | Works with full paste |
| Google Domains | Yes | No issues |
| cPanel-based | Varies | Depends on the hosting provider's version |
Practitioner note: The providers that cause the most DKIM headaches are reseller hosting panels — the ones you get with cheap shared hosting. If the DNS management interface looks like it was built in 2008, expect TXT record splitting problems.
When Splitting Fails
If your DNS provider truncates the record, you have three options:
-
Manually split the value into two strings of 255 characters or less. Some providers have a multi-line input field for this.
-
Use CNAME delegation instead of a TXT record. Point a CNAME at your ESP's DKIM infrastructure and let them serve the key. This is what SendGrid, HubSpot, and other major ESPs do by default.
-
Move your DNS to a provider that handles TXT records properly. Cloudflare is free and works perfectly.
Verifying Your Record
Use dig to check that the full DKIM record is published:
dig TXT selector._domainkey.yourdomain.com +short
You should see the complete key. If it's truncated (ends abruptly without a closing quote), your DNS provider is silently dropping data.
Practitioner note: I've seen cases where a DKIM record looks correct in the DNS provider's dashboard but is truncated in actual DNS responses. Always verify with dig or MXToolbox, not just the provider's interface.
4096-Bit Keys: Not Worth It
4096-bit DKIM keys are technically possible but create real problems:
- Record values exceed 700 characters, requiring three or more strings
- Larger DNS responses increase the chance of falling back to TCP
- Some DNS resolvers have trouble with very large TXT records
- The security benefit over 2048-bit is negligible for email authentication
Stick with 2048-bit. It's the standard that every receiving server and DNS provider is designed to handle. For the complete DKIM setup process, see the DKIM setup guide.
If you're running into DNS limitations with your DKIM setup, I can help you find the right approach for your specific provider and infrastructure.
Sources
- RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
- RFC 1035: Domain Names — Implementation and Specification (TXT record limits)
- RFC 8301: Cryptographic Algorithm and Key Usage Update to DKIM
- M3AAWG: DKIM Key Rotation Best Practices
v1.0 · April 2026
Frequently Asked Questions
What is the DNS TXT record size limit for DKIM?
Individual DNS TXT strings are limited to 255 characters, but a TXT record can contain multiple strings concatenated together. The total record can be up to 65,535 bytes in theory, though practical limits vary by provider.
Why does my 2048-bit DKIM key not fit in a TXT record?
A 2048-bit DKIM public key is about 400 characters. If your DNS provider doesn't support multi-string TXT records, the value gets truncated. You need to split it into two quoted strings.
How do I split a DKIM TXT record?
Break the value into two strings of 255 characters or less, each enclosed in quotes. Most DNS providers handle this automatically when you paste the full value.
Should I use 1024-bit to avoid DNS limits?
No. Use 2048-bit and work around the DNS limit. 1024-bit keys are considered weak and some receivers may downgrade trust. CNAME delegation avoids the problem entirely.
What about 4096-bit DKIM keys?
4096-bit keys produce even longer records and cause problems with more DNS providers. They also increase DNS response sizes significantly. 2048-bit is the sweet spot — strong enough, small enough.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.