What DKIM key length should I use (1024 vs 2048)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Use 2048-bit keys. That's the answer for virtually every email sender today.

And Here's the context: a DKIM key length determines how hard it is to reverse-engineer your private key from your public key. The longer the key, the harder the math problem. 1024-bit RSA keys were considered secure ten years ago, but computing power has improved enough that they're no longer recommended for new deployments. Several major inbox providers have begun flagging or downgrading authentication trust for domains using 1024-bit keys.

2048-bit keys are the current standard. Most ESPs set this as the default. If you've set up DKIM recently through a reputable ESP, you likely already have a 2048-bit key. If your setup is older, it's worth checking.

To find out what you're using: look up your DKIM record in DNS and check the p= field (that's the base64-encoded public key). You can also use our free DKIM checker to see your key length alongside other record details.

If you're on 1024-bit and want to upgrade, now is a good time. The process is the same as a standard key rotation: generate a new 2048-bit key pair, publish the new public key under a new selector, update your sending server, verify it's working, and retire the old selector.

But One caveat: DNS TXT records have a size limit, and 2048-bit keys are large enough to sometimes bump up against it. If you publish a 2048-bit DKIM key as a TXT record and it's being truncated, you may need to split the value across two quoted strings in the record. Your DNS provider's interface might handle this automatically; if not, check your provider's docs or use a CNAME delegation if your ESP supports it.

For reference on the two main DKIM signature algorithms and how they compare with different key sizes, see RSA vs. ed25519 DKIM signatures.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get specific guidance on upgrading your DKIM key length.

I read this on the Email Almanac about DKIM key length. My situation: I'm using describe your ESP or mail server. I believe my key length is 1024-bit / 2048-bit / not sure. I'm [already seeing authentication issues / proactively auditing my setup / about to set up DKIM for the first time]. What I want to understand: [describe e.g., "whether my current key length is causing any deliverability issues" or "how to check my key length and upgrade if needed" or "whether 2048-bit will cause the TXT record truncation issue mentioned in this article"].

Edit the yellow boxes, then send to the AI of your choice.