DomainSecurityScanner
Medium SeverityDKIM

Fix: DKIM Key Too Short (< 2048 bits)

Your DKIM key is shorter than the recommended 2048 bits (likely 1024 bits). Short keys are vulnerable to brute-force attacks and do not meet current security best practices.

Quick Fix

Generate a new 2048-bit DKIM key and update your DNS record.

What This Error Means

Your DKIM public key in DNS is 1024 bits or shorter. While not yet trivially breakable, 1024-bit RSA keys are considered weak by modern standards. The industry standard is 2048 bits.

Why It Matters

A weak DKIM key could potentially be cracked, allowing an attacker to forge DKIM signatures for your domain. Major email providers also view longer keys more favorably for deliverability.

Step-by-Step Fix

1

Check your current key length

Retrieve your DKIM record. A 1024-bit key has roughly 216 base64 characters; a 2048-bit key has roughly 392.

Example
dig +short TXT selector._domainkey.yourdomain.com
# A short p= value indicates a 1024-bit key
2

Generate a new 2048-bit key

In your email provider's admin panel, generate a new DKIM key and select 2048-bit.

Example
# Custom key generation:
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem
3

Update the DNS record

Replace the old DKIM TXT record with the new 2048-bit public key.

Before
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ...short_key...
After
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...much_longer_2048_bit_key...
4

Verify the new key is active

Send a test email and check the DKIM-Signature header to confirm it is using the new key.

Example
# Check email headers for:
# Authentication-Results: ... dkim=pass header.d=yourdomain.com

Common Gotchas

  • 2048-bit DKIM keys exceed the 255-character TXT string limit. Your DNS record will need to be split into multiple strings within a single TXT record.
  • When rotating keys, publish both old and new keys for 24-48 hours to handle emails in transit signed with the old key.
  • Some older DNS providers may not support TXT records long enough for 2048-bit keys.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

Why is 1024-bit DKIM not recommended?

While not yet trivially breakable, 1024-bit RSA keys are considered weak by current cryptographic standards. The estimated cost to factor a 1024-bit key continues to decrease. 2048-bit keys provide a much larger security margin.

Can I use 4096-bit DKIM keys?

While more secure, 4096-bit keys are not widely recommended for DKIM because the long TXT records can cause DNS issues. 2048-bit is the current sweet spot between security and compatibility.

How do I rotate my DKIM key without downtime?

Publish the new key under a new selector. Configure your mail server to sign with the new selector. Keep the old key published for 24-48 hours, then remove it.

Related Issues

No DKIM SignatureNo DKIM RecordDKIM Syntax ErrorAll Fix Guides →