Skip to content
Inboxlee
Browse docs · DNS & authentication
Getting started
DNS & authentication
Integrations
Deliverability
API reference
Troubleshooting
Docs/DNS & authentication

DKIM explained - 2048-bit keys, rotation, verification

Updated Apr 12, 2026 · 6 min read

How DKIM works, why Inboxlee uses 2048-bit keys, how rotation happens.

On this page · 4
  1. How it works
  2. Why 2048-bit
  3. Rotation
  4. Verifying

DKIM (DomainKeys Identified Mail) is a cryptographic signature attached to every outbound message. It proves the email was authorized by the domain owner and was not modified in transit. Without DKIM, Gmail treats your cold outreach as suspect immediately.

How it works

Your sending server holds a private key. The mail server adds a header containing a hash of the message body and headers, signed with that private key. Receivers fetch the corresponding public key from a TXT record at <selector>._domainkey.<yourdomain> and verify the signature.

The selector is a label that lets you publish multiple keys (for rotation). Inboxlee uses the selector "google" by default for Workspace-provisioned mailboxes, matching the Google Workspace convention.

Why 2048-bit

Google has flagged 1024-bit DKIM keys as insecure since 2023. Microsoft and Yahoo follow the same posture. 2048-bit RSA is the modern baseline. Some older DNS providers limit individual TXT records to 255 chars, which forces 2048-bit keys to be split across multiple quoted strings - most modern providers (Cloudflare, Route53, Namecheap) handle this correctly.

Inboxlee provisions every domain with 2048-bit keys, split if necessary, on Cloudflare DNS by default.

Rotation

Rotation happens automatically every 12 months using the dual-selector method:

  • Publish the new key under a fresh selector (google2._domainkey alongside google._domainkey).
  • Switch the signing service to use the new selector.
  • Wait 48 hours for in-flight messages to settle.
  • Remove the old selector record.

    • Zero downtime, zero failed signatures. You get a notification before each rotation; no action required from you.

    Verifying

    dig +short TXT google._domainkey.yourdomain.com

    You should see a long base64-encoded public key starting with "v=DKIM1; k=rsa; p=...". The Inboxlee dashboard shows DKIM status on every domain page in real time.

    ← All docsTry Inboxlee free →