Suped

How to quickly identify DKIM key length (1024 or 2048)?

8 Marketer opinions4 Expert opinions4 Technical articles4 Resources

Summary

Identifying DKIM key length (1024 or 2048 bits) can be achieved using several methods. The most common approach involves using OpenSSL, a command-line tool, to analyze the DKIM public key. This involves extracting the DKIM record from your DNS, saving the public key to a file, and then using OpenSSL commands (e.g., `openssl rsa -in key.pem -text -noout`) to display the key's details, including the modulus (which indicates key length). Several variations of the OpenSSL command exist. Alternatively, various online DKIM validator tools (e.g., dkimvalidator.com, MXToolbox, mail-tester.com) offer a simpler, user-friendly way to automatically check the DKIM record and display the key size. Some services like Wombatmail also provide such a function. A proper DKIM key should be at least 1024 bits.

Key findings

  • OpenSSL Methods: OpenSSL, a command-line tool, is frequently cited as a method to examine the public key to discover its length. Several command options exist with slightly different output.
  • Online DKIM Validators: Multiple online DKIM validation tools provide key length automatically (e.g., dkimvalidator.com, MXToolbox).
  • Minimum Key Length: A proper DKIM key requires a key length of 1024 bits or greater.
  • Extraction Required: Regardless of the method, the DKIM record (specifically the public key) must be extracted from the DNS.

Key considerations

  • Technical Expertise (OpenSSL): Using OpenSSL requires familiarity with command-line interfaces and the proper formatting of the key. This may present a barrier for non-technical users.
  • Tool Reliability (Online Validators): It's important to verify the reliability and trustworthiness of online DKIM validators.
  • DNS Access Required: Access to the DNS records is required to extract the DKIM public key, regardless of the chosen method.

What email marketers say
8Marketer opinions

Identifying DKIM key length involves several methods, primarily using OpenSSL commands or online DKIM validator tools. OpenSSL requires extracting the DKIM record from the DNS, saving the public key to a file, and then using commands like `openssl rsa -in key.pem -text -noout` to view the key's details, including the modulus that indicates key length. Alternatively, online tools like dkimvalidator.com and MXToolbox can automatically check DKIM records and display the key size, offering a more user-friendly approach.

Key opinions

  • OpenSSL Method: Using OpenSSL involves extracting the DKIM record, saving the public key, and executing commands to reveal the key's modulus, indicating its length.
  • Online Validators: Online tools like dkimvalidator.com and MXToolbox offer a simplified approach by automatically checking DKIM records and displaying the key size.
  • DNS Record Visibility: The DKIM key size is not directly visible in the DNS TXT record; the public key must be extracted and analyzed.

Key considerations

  • Technical Skill: Using OpenSSL requires technical knowledge and command-line proficiency, which might be challenging for some users.
  • Tool Accuracy: Ensure the accuracy of online DKIM validators, as some may provide incorrect or outdated information.
  • Accessibility: Online tools provide an accessible alternative, but consider potential privacy implications when using third-party validators.
Marketer view

Email marketer from UnlockTheInbox shares that in the DNS TXT record for DKIM, the key size isn't directly visible, as the record contains the public key itself. To find the key size, you must extract the public key from the DNS record and then use a tool like OpenSSL to analyze it.

October 2021 - unlocktheinbox.com
Marketer view

Email marketer from SuperUser recommends using online DKIM validators like dkimvalidator.com to check the key size, providing a user-friendly alternative to command-line tools.

February 2023 - SuperUser
Marketer view

Email marketer from dkimvalidator.com details you can use dkimvalidator.com to check the DKIM record and it automatically shows you the DKIM key size. You send an email to the specified address, and it will respond with a report that includes DKIM information.

September 2023 - dkimvalidator.com
Marketer view

Email marketer from Reddit shares that you can use OpenSSL to determine the key size. Using the command: `openssl rsa -in yourkey.pem -text -noout` will output the key details, including the modulus which represents the key length.

July 2021 - Reddit
Marketer view

Email marketer from ServerFault answers using OpenSSL to extract the key size. Save the DKIM public key to a file. Next use the command: `openssl rsa -in dkim.public -text -noout`. This will output the public key's details, including the modulus. Check the modulus length to determine the key size.

October 2023 - ServerFault
Marketer view

Email marketer from StackOverflow answers to get the DKIM key size you need to log into your DNS provider and get the string for the DKIM record. Next take the string and put it in a text file. Then using the command line tool OpenSSL run the command to get the details.

January 2025 - StackOverflow
Marketer view

Email marketer from MXToolbox states that using their tool you can look up the DKIM record and validate the key size.

January 2025 - mxtoolbox.com
Marketer view

Email marketer from Mailhardener describes how to check the key length by retrieving your DKIM record and running the openssl command to retrieve the details and modulus.

May 2022 - mailhardener.com

What the experts say
4Expert opinions

Identifying DKIM key length can be achieved through several methods. Wombatmail offers a tool for identification, while OpenSSL commands on Mac/Unix provide a command-line approach, requiring proper formatting of the key information. A Python script on GitHub is also available for this purpose. Regardless of the method, it's important to ensure the DKIM key length is 1024 bits or greater for proper security.

Key opinions

  • Wombatmail Tool: Wombatmail provides a user-friendly tool for identifying DKIM key length.
  • OpenSSL Command: OpenSSL on Mac/Unix allows for command-line identification, but requires understanding of the command and key formatting.
  • Python Script: A Python script on GitHub offers a programmatic way to identify DKIM key length.
  • Minimum Key Length: A DKIM key should be at least 1024 bits long to be considered proper and secure.

Key considerations

  • Tool Accessibility: Consider the accessibility and ease of use of each method, as Wombatmail might be simpler for non-technical users compared to OpenSSL or the Python script.
  • Technical Expertise: OpenSSL and the Python script require some level of technical expertise to implement and interpret the results.
  • Key Length Requirement: Always verify that the DKIM key meets the minimum recommended length of 1024 bits for adequate security.
Expert view

Expert from Email Geeks shares that Wombatmail can be used to identify DKIM key length and provides an example link.

October 2022 - Email Geeks
Expert view

Expert from Email Geeks explains how to use the OpenSSL command on Mac/Unix to identify DKIM key length, providing the command and explaining how to format the key information.

September 2022 - Email Geeks
Expert view

Expert from Email Geeks shares a link to a Python script on GitHub that can be used to identify DKIM key length.

February 2024 - Email Geeks
Expert view

Expert from Spamresource explains that a proper DKIM key requires a key length of 1024 bits or greater.

June 2021 - Spamresource

What the documentation says
4Technical articles

Identifying DKIM key length is primarily achieved using OpenSSL commands. DigiCert.com explains extracting the public key and using `openssl rsa -in <keyfile> -text -noout`. Let's Encrypt Community shares using `openssl rsa -in privkey.pem -text | grep Private-Key: | cut -d' ' -f4` to get the size in bits. OpenSSL's wiki details using `openssl rsa -in your_private_key.pem -pubout -outform PEM | openssl rsa -pubin -text -noout` for detailed key information. Alternatively, knowledgeadvisor.biz suggests using online tools like mail-tester.com to check key validity and length.

Key findings

  • OpenSSL Command Options: Multiple OpenSSL commands can be used to determine key length, each offering different levels of detail.
  • Extraction Requirement: Regardless of the command, extracting the public key from the DNS record is a necessary first step.
  • Online Tool Alternative: Online tools provide a simpler alternative to command-line methods for validating key length.

Key considerations

  • Command Complexity: OpenSSL commands can be complex and require familiarity with command-line interfaces.
  • Key Format: Ensure the key is in the correct format (PEM) for OpenSSL commands to work properly.
  • Tool Reliability: Verify the reliability and trustworthiness of online tools before relying on their results.
Technical article

Documentation from DigiCert.com explains how to use OpenSSL to check the DKIM key length. They describe the command line steps involving extracting the public key, saving it to a file, and then using openssl rsa -in <keyfile> -text -noout to display the key details, including modulus, which indicates the key length.

December 2021 - DigiCert.com
Technical article

Documentation from Let's Encrypt Community explain how to show the size of the RSA key. Using OpenSSL, you can use this command: `openssl rsa -in privkey.pem -text | grep Private-Key: | cut -d' ' -f4`. This command will extract the key size in bits.

April 2022 - community.letsencrypt.org
Technical article

Documentation from knowledgeadvisor.biz tells you can use a tool to determine if your DKIM key is valid and of the correct length. They show how to check your DKIM key size by using a tool like mail-tester.com.

August 2023 - knowledgeadvisor.biz
Technical article

Documentation from OpenSSL's wiki explains how to display the public key using OpenSSL. Use this command: `openssl rsa -in your_private_key.pem -pubout -outform PEM | openssl rsa -pubin -text -noout` This command gives all the nitty gritty details of your key in a human readable form.

April 2021 - wiki.openssl.org

Related resources
4Resources

2048 Bit DKIM Keys: Length and Best Practices | SendGrid
2048 Bit DKIM Keys: Length and Best Practices | SendGrid

Learn how to implement 2048 bit DKIM keys to protect your domain and email reputation with the latest-and-greatest email security.

SendGrid
DKIM 1024 vs 2048: Which is Better and Why | Mailjet
DKIM 1024 vs 2048: Which is Better and Why | Mailjet

Unsure of the difference between DKIM 1024 or 2048-bit keys? We’ll go through what they are and how to implement the best security system for your domain.

Mailjet
EasyDMARC DKIM Record Generator | Create DKIM Records Free
EasyDMARC DKIM Record Generator | Create DKIM Records Free

EasyDMARC’s DKIM Record Generator creates DKIM records for DNS with 1024, 2048, and 4096-bit key lengths. Protect your domain from email scams and phishing.

EasyDMARC
DKIM Key Checker | protodave
DKIM Key Checker | protodave

Secure your email by validating your DKIM DNS record, and verify its key length is ≥ 1024 bits using this free online tool. ✅

protodave

Related questions