What are typical key length recommendations?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

DKIM uses public-key cryptography to sign your outgoing email. The key length determines how hard it is to crack that signature. Longer keys are stronger but also create larger DNS TXT records, which can cause their own headaches.

The standard: 2048-bit

2048-bit is what most senders should use today. It's supported by all major ESPs and DNS providers, it meets the IETF and NIST recommendations, and it's what Gmail, Outlook, and Yahoo expect when evaluating your authentication. If you set up DKIM in the last few years and accepted your ESP's default, you're almost certainly on 2048 already.

1024-bit: avoid it if you can

1024-bit RSA keys are considered weak by modern cryptographic standards. NIST deprecated them for most uses years ago. Some older ESPs still default to 1024, and some DNS providers couldn't support longer TXT records. Most can now. If you're stuck on 1024 for a legacy reason, check whether your DNS provider supports longer TXT values before assuming you can't upgrade. If you can migrate, do it.

4096-bit: overkill with real tradeoffs

4096-bit keys offer stronger protection, but the resulting TXT record often exceeds 512 bytes (the safe size for a single DNS UDP packet). Some DNS implementations split the record across multiple strings and some mail servers parse that poorly. It's technically valid but creates unnecessary compatibility risk. 2048 is the sweet spot between security and compatibility.

You can check your current key length and DNS propagation with our DKIM checker. If you're migrating from 1024 to 2048 and want to walk through it safely without breaking delivery, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check My DKIM Key Length

I just read the Email Almanac entry on DKIM key length recommendations. Help me check what my current key length is and figure out whether I need to rotate to 2048-bit. Walk me through: 1. Looking up my current DKIM key and determining its length 2. Whether my DNS provider supports 2048-bit TXT records 3. The safe migration path from 1024 to 2048 without breaking delivery 4. How to verify the new key is passing before removing the old one --- My details (fill in what applies): - Sending domain: your domain - DKIM selector name: e.g. "k1", "s1", "em1234" - ESP or sending platform: Mailchimp / Klaviyo / Postmark / Google Workspace / other - Current key length (if you know): 1024 / 2048 / unsure - DNS provider: Cloudflare / Route 53 / GoDaddy / other

Edit the yellow boxes, then send to the AI of your choice.