DKIM Key Size: 1024 vs 2048 Bits â€” Which Should You Use?

When generating DKIM keys, you must choose a key size. The two common options are 1024 bits and 2048 bits. Here's what you need to know.

Short answer: Use 2048-bit keys. They're more secure and widely supported. Only use 1024-bit if you have specific DNS limitations.

Quick Comparison

Factor	1024-bit	2048-bit
Security level	Adequate (for now)	Recommended standard
DNS record size	~180 characters	~400 characters
DNS compatibility	Universal	Most providers
Future-proof	No — being phased out	Yes — current standard
Signing speed	Faster	Slightly slower
Industry guidance	Deprecated by many	Recommended by RFC 8301

Security Considerations

1024-bit Keys

1024-bit RSA keys were standard for years but are now considered weak:

Theoretically breakable with sufficient computational resources
NIST deprecated 1024-bit RSA in 2013
RFC 8301 (2018) recommends against 1024-bit DKIM keys
Some security audits flag 1024-bit keys as vulnerabilities

A 1024-bit key hasn't been publicly broken for DKIM purposes, but the security margin is shrinking.

2048-bit Keys

2048-bit RSA provides substantially stronger security:

128-bit security level â€” considered secure through 2030+
Industry standard for DKIM, TLS certificates, and more
Required by some compliance frameworks
Recommended by Google, Microsoft, and email security experts

The computational cost to break a 2048-bit key is approximately 2^32 times harder than 1024-bit.

DNS Record Size

The practical challenge with larger keys is DNS record length.

1024-bit DNS Record

selector._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

Approximately 180 characters for the public key
Fits easily in a single DNS TXT record
No compatibility issues

2048-bit DNS Record

selector._domainkey TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Approximately 400 characters for the public key
May require splitting across multiple strings
Some older DNS providers have issues

Splitting Long Records

DNS TXT records have a 255-character limit per string. For 2048-bit keys, the record is split:

selector._domainkey TXT ("v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
                         "MIIBCgKCAQEA...rest of key...")

Most DNS providers handle this automatically. Receivers concatenate the strings when validating.

Generate 2048-bit DKIM keys

Create secure key pairs in your browser. Choose your key size based on your needs.

Generate Keys

Provider Support

Providers Requiring 2048-bit

Some email services mandate 2048-bit keys:

Google Workspace â€” 2048-bit default since 2016
Microsoft 365 â€” 2048-bit recommended
Proofpoint â€” 2048-bit required
Many enterprise email gateways

DNS Providers With 2048-bit Issues

A few older or limited DNS providers struggle with long TXT records:

Some budget hosting control panels
Older on-premise DNS servers
Certain registrar DNS services

If your DNS provider can't handle 2048-bit keys, consider:

Migrating DNS to a modern provider (Cloudflare, Route 53, etc.)
Using 1024-bit as a temporary measure while migrating
Contacting your provider about TXT record limits

Performance Impact

Key size affects signing and verification speed:

Operation	1024-bit	2048-bit
Signing	~0.5ms	~2ms
Verification	~0.05ms	~0.1ms

These differences are negligible for normal email volumes. Even high-volume senders (millions of emails/day) won't notice meaningful performance impact from 2048-bit keys.

When to Use 1024-bit

Despite the recommendation for 2048-bit, there are limited cases for 1024-bit:

DNS provider limitation â€” Provider truly cannot support long TXT records
Legacy system constraint â€” Older mail server software with hardcoded limits
Temporary migration â€” Short-term use while upgrading infrastructure

If using 1024-bit, plan to migrate to 2048-bit within 6-12 months.

When to Use 2048-bit

Use 2048-bit keys for:

New deployments â€” Start with current standards
Production email â€” Anything customer-facing
Compliance requirements â€” PCI-DSS, SOC 2, etc.
Long-term use â€” Keys you won't rotate frequently

Key Rotation Strategy

Key size choice affects rotation planning:

1024-bit Strategy

If forced to use 1024-bit:

Rotate every 6 months
Plan migration to 2048-bit
Monitor security advisories

2048-bit Strategy

Rotate annually or on security events
Standard practice for most organizations
No urgent migration pressure

Migration Path

Moving from 1024-bit to 2048-bit:

Generate new 2048-bit keys

Create a new key pair with a new selector (e.g., selector2024 instead of selector).

Add new DNS record

Publish the 2048-bit public key alongside the existing 1024-bit record.

Update signing configuration

Configure your mail server to sign with the new 2048-bit private key.

Monitor for issues

Watch DMARC reports and bounce rates for any problems.

Remove old record

After 1-2 weeks, remove the old 1024-bit DNS record.

What About 4096-bit?

Some wonder about even larger keys:

Not recommended for DKIM currently
DNS record would be ~800 characters â€” compatibility issues
Performance overhead increases significantly
2048-bit provides sufficient security for foreseeable future
Consider algorithm change (Ed25519) before key size increase

Future: Ed25519

DKIM supports Ed25519 (elliptic curve) as an alternative to RSA:

Factor	RSA 2048	Ed25519
Key size	2048 bits	256 bits
DNS record	~400 chars	~44 chars
Security	128-bit	128-bit
Support	Universal	Growing

Ed25519 offers equivalent security with much smaller keys. However, support isn't yet universal. For now, RSA 2048-bit remains the safe choice.

Recommendation

Use 2048-bit keys unless you have a specific, documented reason not to.

The security improvement over 1024-bit is substantial, performance impact is negligible, and DNS compatibility is nearly universal. Starting with 2048-bit avoids future migration work.

Generate secure 2048-bit DKIM keys in your browser.

Generate DKIM keys

Create 1024-bit or 2048-bit key pairs. Keys are generated locally and never leave your browser.