2048 Bit DKIM Keys: Length and Best Practices
For years, the standard key length was 1024 bit DKIM keys, but hackers continue to develop new methods to break DKIM keys. As a result, the National Institute of Standards and Technology (NIST) recommends 2048 bit keys.
Due to the countless bad actors in the email space, valid senders need to go above and beyond to prove themselves legit. One of the ways senders can authenticate themselves is through DomainKeys Identified Mail (DKIM), a cryptographic technology that uses a public key and a private key to verify that the sender of the email is responsible for the corresponding domain.
To ensure our senders have the best possible protection in place, we’re excited to announce that Twilio SendGrid now uses 2048-bit keys.
What is a 2048 bit DKIM key?
A 2048-bit DKIM key is a powerful security measure that protects your emails from unauthorized changes and impersonation. The "2048-bit" refers to the length of the key, which determines its strength. A longer key provides more security. With a 2048-bit DKIM key, you have a robust defense against tampering and forgery attempts.
Here's how 2048 bit keys work.
When you send an email, you use a private key to add a unique signature. This signature is encrypted and attached to your email. The recipient can then use the corresponding public key to verify the signature and ensure that the email hasn't been altered or faked.
The strength of a 2048-bit DKIM key lies in its complexity. With numerous possible combinations, it becomes extremely difficult for anyone to crack the encryption. This helps protect your emails from being spoofed or tampered with.
What is a 1024 bit DKIM key?
With a 1024-bit DKIM key, you have a solid level of security to protect your messages. While not as long as a 2048-bit key, it still provides a considerable level of protection against unauthorized modifications and impersonation attempts.
However, longer keys provide even stronger protection. The longer the key, the more computationally complex it becomes for someone to crack it.
1024 bit vs. 2048 bit DKIM keys: What's the difference?
For several years, the standard was the 512 bit. However, it became very apparent that the 512 bit keys were vulnerable and easily cracked.
While the 1024 bit is far more secure, it’s incredibly important to stay ahead of the game when securing your emails. Many experts believe the 1024 bit will become vulnerable over the next few years.
Enter 2048 bit keys.
With double the key length, 2048 bit keys provide enhanced tampering protection with the strongest signing for automated security domain authentication. The 2048 bit keys are secure against forms of cryptographic attacks for the next several years.
Why not upgrade to a 4096 bit key?
Well, because it's not necessary. As of now, 2048 bit keys are adequate for protection, and doubling that amount can hurt performance. Servers and clients will have to use more computing to generate longer codes.
Use what's necessary now—you can always change it later when standards and expectations evolve.
Is 2048 bit widely supported?
This is a common question since the key length is double that of 1024 bit keys. Some domain name system (DNS) providers have limits on the number of characters, although most fully support the key length of 2048 bit keys.
Those DNS providers that don’t support 2048 bit keys have unique workarounds, so it’s worth reaching out to them to discuss different solutions.
How to set up 2048 bit DKIM keys for your account
Whenever automatic security in your Twilio SendGrid account creates a new DKIM key, it will be a 2048 bit key. A new DKIM key generates with every new selector.
However, existing domain authentication configurations and selectors will not change automatically. For example:
- If you create a new domain authentication, but it uses the same default s1 selector as a previous 1024 bit key, it will reuse the 1024 bit key.
- If you have an existing 1024 bit key, then you’ll need to pick a custom unused selector when creating the new domain authentication to generate a new 2048 bit key.
In your Twilio SendGrid account, go to “Settings” and “Sender Authentication” to create or update your DKIM key (as shown in the image below).
Exception: Manual security will not use 2048 bit
Manual security domain authentications in your Twilio SendGrid account will continue to use 1024 bit keys, even if it is a brand-new domain authentication. Due to its strength, DNS providers don't always support 2048 bit DKIM keys. That’s why we ask you to put the raw DKIM key on the provider when you implement manual security, because there’s a risk that the provider won’t accept it.
When you set up automatic security, Twilio SendGrid stores the DKIM key on our DNS provider (who we know supports 2048 bit DKIM keys), and you point your DNS to our DNS.
For more information on setting up 2048 bit keys for your account, go to our docs article, Migrating to 2048 Bit DomainKeys Identified Mail (DKIM).
Protect your email program with 2048 bit keys
Unfortunately, hackers aren’t going away anytime soon. You must stay one step ahead of bad actors at all times to keep your email secure. Implementing 2048 bit DKIM keys will ensure you take all the necessary steps to protect your domain and email reputation.
Learn how to set up 2048 bit keys for your Twilio SendGrid account, or learn more about account security best practices.
