Are people using 4096-bit DKIM keys, and what is the recommended DKIM key length?

Summary

The consensus is that while 1024 bits is the minimum supported DKIM key length, 2048 bits is the recommended standard for security and performance. Some experts and marketers are using and advocating for 4096-bit keys for enhanced future-proof security, but the practical benefits beyond 2048 bits are debated. Proper implementation and provider support are crucial factors. The appropriate key length can also depend on the size and security needs of the business.

Key findings

  • Minimum Length: 1024 bits is the minimum supported DKIM key length, per RFC specifications.
  • Recommended Length: 2048 bits is the most commonly recommended DKIM key length for balancing security and performance, as supported by Cloudflare, Google, and DKIM Wizard.
  • Emerging Trend: 4096-bit keys are being adopted for enhanced security and future-proofing against computational advancements.
  • Security vs. Practicality: While longer keys enhance security, the incremental benefit beyond 2048 bits may be limited for many senders.

Key considerations

  • Provider Support: Verify that your email service provider supports key lengths exceeding 2048 bits before implementing them.
  • Implementation Quality: Prioritize proper DKIM implementation and monitoring over solely relying on longer key lengths.
  • Business Needs: Consider your organization's size and security requirements when selecting a DKIM key length; smaller businesses may find 1024 bits sufficient, while larger businesses may need 2048 bits or higher.

What email marketers say
8Marketer opinions

The discussion around DKIM key lengths reveals a range of perspectives, from the practical minimum of 1024 bits to the increasingly prevalent use of 4096-bit keys. While some marketers highlight the enhanced security offered by longer keys like 2048 bits or greater, others suggest that 2048 bits strikes a balance between security and performance. Some also point out that the right key length depends on the size of the business.

Key opinions

  • Minimum Recommendation: 1024-bit keys are considered a practical minimum for DKIM to prove legitimacy, though longer keys are generally recommended.
  • Common Practice: 2048-bit key length is the most common and offers a good balance between security and performance.
  • Growing Trend: 4096-bit keys are becoming increasingly prevalent due to heightened security concerns.
  • Security Benefit: Increasing the DKIM key length improves security and protection against cryptographic attacks.

Key considerations

  • Provider Support: Check with your email service provider regarding support for key sizes greater than 2048 bits.
  • Business Size: Smaller businesses might find 1024 bits sufficient, while larger businesses might opt for 2048 bits.
  • Performance Impact: Consider the balance between security and performance when choosing a DKIM key length.
Marketer view

Email marketer from AuthSMTP says that 2048-bit key length is the most common and offers a good balance between security and performance.

July 2022 - AuthSMTP
Marketer view

Email marketer from MXToolbox shares that increasing the DKIM key length improves security, advising users to check with their provider regarding support for key sizes greater than 2048 bits.

April 2021 - MXToolbox
Marketer view

Email marketer from Reddit mentions that while 2048 is common, they believe 4096-bit keys are becoming increasingly prevalent due to heightened security concerns, and it future proofs against advances in computational power for cracking keys.

September 2022 - Reddit
Marketer view

Email marketer from EasyDMARC highlights that longer DKIM key sizes, such as 2048 bits or greater, offer better protection against cryptographic attacks compared to shorter keys like 1024 bits.

March 2023 - EasyDMARC
Marketer view

Email marketer from Reddit discusses if a smaller business would need the same level of protection. He suggests that the bare minimum should be 1024 bits. This is what he uses to prove to email providers that emails are legit. A bigger business might use a 2048 bit key.

September 2022 - Reddit
Marketer view

Email marketer from StackExchange suggests that 1024-bit keys are the practical minimum for DKIM, and 2048-bit keys are better. They explain that longer keys provide better security but may be overkill for most purposes.

December 2021 - StackExchange
Marketer view

Marketer from Email Geeks shares that they have created 4096-bit DKIM keys and thinks some are in use.

June 2023 - Email Geeks
Marketer view

Email marketer from EmailSecurityATP suggests that there are no downsides to using a 4096 bit DKIM key and they recommend to generate one and use that key if your service provider supports it.

August 2021 - EmailSecurityATP

What the experts say
2Expert opinions

Experts suggest that while longer DKIM keys offer greater security, there's a point of diminishing returns. 1536 bits is considered sufficient against brute force attacks, and the RFC requires support for 2048-bit keys. Exceeding 2048 bits may not provide significant practical benefits for most senders, making proper implementation and monitoring more crucial than solely relying on key length.

Key opinions

  • Sufficient Length: 1536 bits is long enough to protect against brute force attacks.
  • RFC Requirement: The RFC requires support for 2048-bit DKIM keys.
  • Diminishing Returns: The practical benefits of exceeding 2048 bits are debatable for most email senders.

Key considerations

  • Implementation: Proper implementation and monitoring are more crucial than solely relying on key length.
  • Practical Benefits: Assess whether the increased security of longer keys justifies the added complexity.
Expert view

Expert from Word to the Wise explains that while longer keys offer greater security, the practical benefits of exceeding 2048 bits are debatable for most email senders. They emphasize the importance of proper implementation and monitoring over solely relying on key length.

August 2022 - Word to the Wise
Expert view

Expert from Email Geeks explains that 1536 bits is long enough for brute force attacks and the RFC requires 2048 bit keys to be supported, anything longer is implementation defined.

November 2022 - Email Geeks

What the documentation says
4Technical articles

Documentation across various sources indicates a consensus that the recommended DKIM key length is 2048 bits to meet modern security standards and prevent signature forgery. While the minimum supported key length is 1024 bits, using longer keys is generally advised for enhanced security.

Key findings

  • Recommended Size: The recommended DKIM key size is 2048 bits.
  • Security Standard: 2048-bit keys meet modern security standards.
  • Minimum Size: The minimum supported DKIM key length is 1024 bits.
  • Enhanced Security: Longer keys offer enhanced security benefits.

Key considerations

  • Implementation: Ensure your DKIM key is at least 2048 bits for optimal security.
  • Key Rotation: Consider implementing key rotation for added security.
Technical article

Documentation from ietf.org defines that implementations MUST support a minimum key length of 1024 bits. It also recommends using longer keys where possible, noting the security benefits.

March 2025 - ietf.org
Technical article

Documentation from Google says that the DKIM key should be 2048 bits if possible to meet modern security standards.

July 2024 - Google Workspace Admin Help
Technical article

Documentation from Cloudflare explains that the recommended DKIM key size is 2048 bits. Cloudflare automatically rotates keys to ensure security and supports this key length.

July 2023 - Cloudflare
Technical article

Documentation from DKIM Wizard says that the minimum DKIM key length to use is 2048 bits to prevent hackers from forging DKIM signatures.

July 2022 - DKIM Wizard