DKIM 1024-bit vs 2048-bit: which one to publish in 2026
1024-bit keys still work. They are also a 1990s-era cryptographic compromise that modern enterprise mail servers are starting to flag.
Rejwan Nirob·Apr 4, 2026·4 min readDKIM keys come in two common lengths - 1024-bit and 2048-bit RSA. The first one was standard a decade ago and is now considered a soft warning by most mailbox providers. The second one is the 2026 baseline.
Why 2048 matters
A 1024-bit RSA key is still computationally hard to forge, but the cost has dropped year over year. Several public security advisories - including ones from the M3AAWG working group - recommend 2048-bit as the minimum for any production sender. Some enterprise mail security tools (Proofpoint, Mimecast) explicitly flag 1024-bit keys in inbound deliverability reports.
Why some operators still ship 1024
Older DNS providers limit individual TXT records to 255 characters per string. A 2048-bit key is roughly 256–270 characters of base64. The fix is splitting the key across multiple quoted strings inside one record, which most modern providers handle correctly. A handful do not, which is the only legitimate reason to fall back to 1024.
What Inboxlee publishes
- 2048-bit RSA, generated per domain at provisioning time
- Split across quoted strings to comply with TXT record syntax
- Public key polled from DNS to verify propagation before the mailbox is marked live
- Rotation every 6 months using the dual-selector method
If you have a domain on another provider and are not sure of the key length, run dig +short google._domainkey.yourdomain.com TXT and count the base64 characters after p=. Under 200 chars usually means 1024-bit. Over 240 means 2048.
Frequently asked
Is 1024-bit DKIM still safe in 2026?
It still works, but it is now considered a soft warning by most mailbox providers and explicitly flagged by enterprise security tools like Proofpoint and Mimecast. The M3AAWG working group recommends 2048-bit as the minimum for any production sender. Use 1024-bit only if your DNS provider cannot handle multi-string TXT records.
How do I check the DKIM key length on my existing domain?
Run dig +short google._domainkey.yourdomain.com TXT and count the base64 characters after p=. Under 200 chars usually means 1024-bit. Over 240 chars means 2048-bit. Inboxlee defaults to 2048-bit on every domain it provisions.
Why does my 2048-bit DKIM record need quoted strings?
Older DNS providers limit individual TXT record strings to 255 characters. A 2048-bit key base64 is ~256-270 characters, so it has to be split across multiple quoted strings inside one record (e.g. "abc...def" "ghi...jkl"). Most modern DNS providers handle this correctly; a handful do not, which is the only legitimate reason to fall back to 1024-bit.
How often should I rotate my DKIM key?
Every 6 months for active production domains is the operational baseline. Immediately on suspected exposure, employee offboarding, or vendor change. Annually at minimum even on dormant domains. Never during the first 14 days of a new domain - that period is warmup, not change-management. Inboxlee rotates automatically on a 6-month schedule using dual-selector to avoid downtime.