How to quickly identify DKIM key length (1024 or 2048)?

Summary

Identifying DKIM key length (1024 or 2048 bits) can be achieved using several methods. The most common approach involves using OpenSSL, a command-line tool, to analyze the DKIM public key. This involves extracting the DKIM record from your DNS, saving the public key to a file, and then using OpenSSL commands (e.g., `openssl rsa -in key.pem -text -noout`) to display the key's details, including the modulus (which indicates key length). Several variations of the OpenSSL command exist. Alternatively, various online DKIM validator tools (e.g., dkimvalidator.com, MXToolbox, mail-tester.com) offer a simpler, user-friendly way to automatically check the DKIM record and display the key size. Some services like Wombatmail also provide such a function. A proper DKIM key should be at least 1024 bits.

Key findings

  • OpenSSL Methods: OpenSSL, a command-line tool, is frequently cited as a method to examine the public key to discover its length. Several command options exist with slightly different output.
  • Online DKIM Validators: Multiple online DKIM validation tools provide key length automatically (e.g., dkimvalidator.com, MXToolbox).
  • Minimum Key Length: A proper DKIM key requires a key length of 1024 bits or greater.
  • Extraction Required: Regardless of the method, the DKIM record (specifically the public key) must be extracted from the DNS.

Key considerations

  • Technical Expertise (OpenSSL): Using OpenSSL requires familiarity with command-line interfaces and the proper formatting of the key. This may present a barrier for non-technical users.
  • Tool Reliability (Online Validators): It's important to verify the reliability and trustworthiness of online DKIM validators.
  • DNS Access Required: Access to the DNS records is required to extract the DKIM public key, regardless of the chosen method.

What email marketers say
8Marketer opinions

Identifying DKIM key length involves several methods, primarily using OpenSSL commands or online DKIM validator tools. OpenSSL requires extracting the DKIM record from the DNS, saving the public key to a file, and then using commands like `openssl rsa -in key.pem -text -noout` to view the key's details, including the modulus that indicates key length. Alternatively, online tools like dkimvalidator.com and MXToolbox can automatically check DKIM records and display the key size, offering a more user-friendly approach.

Key opinions

  • OpenSSL Method: Using OpenSSL involves extracting the DKIM record, saving the public key, and executing commands to reveal the key's modulus, indicating its length.
  • Online Validators: Online tools like dkimvalidator.com and MXToolbox offer a simplified approach by automatically checking DKIM records and displaying the key size.
  • DNS Record Visibility: The DKIM key size is not directly visible in the DNS TXT record; the public key must be extracted and analyzed.

Key considerations

  • Technical Skill: Using OpenSSL requires technical knowledge and command-line proficiency, which might be challenging for some users.
  • Tool Accuracy: Ensure the accuracy of online DKIM validators, as some may provide incorrect or outdated information.
  • Accessibility: Online tools provide an accessible alternative, but consider potential privacy implications when using third-party validators.
Marketer view

Email marketer from UnlockTheInbox shares that in the DNS TXT record for DKIM, the key size isn't directly visible, as the record contains the public key itself. To find the key size, you must extract the public key from the DNS record and then use a tool like OpenSSL to analyze it.

October 2021 - unlocktheinbox.com
Marketer view

Email marketer from SuperUser recommends using online DKIM validators like dkimvalidator.com to check the key size, providing a user-friendly alternative to command-line tools.

February 2023 - SuperUser

What the experts say
4Expert opinions

Identifying DKIM key length can be achieved through several methods. Wombatmail offers a tool for identification, while OpenSSL commands on Mac/Unix provide a command-line approach, requiring proper formatting of the key information. A Python script on GitHub is also available for this purpose. Regardless of the method, it's important to ensure the DKIM key length is 1024 bits or greater for proper security.

Key opinions

  • Wombatmail Tool: Wombatmail provides a user-friendly tool for identifying DKIM key length.
  • OpenSSL Command: OpenSSL on Mac/Unix allows for command-line identification, but requires understanding of the command and key formatting.
  • Python Script: A Python script on GitHub offers a programmatic way to identify DKIM key length.
  • Minimum Key Length: A DKIM key should be at least 1024 bits long to be considered proper and secure.

Key considerations

  • Tool Accessibility: Consider the accessibility and ease of use of each method, as Wombatmail might be simpler for non-technical users compared to OpenSSL or the Python script.
  • Technical Expertise: OpenSSL and the Python script require some level of technical expertise to implement and interpret the results.
  • Key Length Requirement: Always verify that the DKIM key meets the minimum recommended length of 1024 bits for adequate security.
Expert view

Expert from Email Geeks shares that Wombatmail can be used to identify DKIM key length and provides an example link.

October 2022 - Email Geeks
Expert view

Expert from Email Geeks explains how to use the OpenSSL command on Mac/Unix to identify DKIM key length, providing the command and explaining how to format the key information.

September 2022 - Email Geeks

What the documentation says
4Technical articles

Identifying DKIM key length is primarily achieved using OpenSSL commands. DigiCert.com explains extracting the public key and using `openssl rsa -in <keyfile> -text -noout`. Let's Encrypt Community shares using `openssl rsa -in privkey.pem -text | grep Private-Key: | cut -d' ' -f4` to get the size in bits. OpenSSL's wiki details using `openssl rsa -in your_private_key.pem -pubout -outform PEM | openssl rsa -pubin -text -noout` for detailed key information. Alternatively, knowledgeadvisor.biz suggests using online tools like mail-tester.com to check key validity and length.

Key findings

  • OpenSSL Command Options: Multiple OpenSSL commands can be used to determine key length, each offering different levels of detail.
  • Extraction Requirement: Regardless of the command, extracting the public key from the DNS record is a necessary first step.
  • Online Tool Alternative: Online tools provide a simpler alternative to command-line methods for validating key length.

Key considerations

  • Command Complexity: OpenSSL commands can be complex and require familiarity with command-line interfaces.
  • Key Format: Ensure the key is in the correct format (PEM) for OpenSSL commands to work properly.
  • Tool Reliability: Verify the reliability and trustworthiness of online tools before relying on their results.
Technical article

Documentation from DigiCert.com explains how to use OpenSSL to check the DKIM key length. They describe the command line steps involving extracting the public key, saving it to a file, and then using openssl rsa -in <keyfile> -text -noout to display the key details, including modulus, which indicates the key length.

December 2021 - DigiCert.com
Technical article

Documentation from Let's Encrypt Community explain how to show the size of the RSA key. Using OpenSSL, you can use this command: `openssl rsa -in privkey.pem -text | grep Private-Key: | cut -d' ' -f4`. This command will extract the key size in bits.

April 2022 - community.letsencrypt.org