DKIM fix
DKIM Key Length — 1024 vs 2048 Bit
Bump weak 1024-bit DKIM keys to 2048-bit — big inboxes side-eye short keys and auditors ask questions.
What the numbers mean
- 1024-bit: Old — treat as tech debt
- 2048-bit: What you want today
- 4096-bit: Overkill for most — huge TXT, fragmentation pain
See your length
DNS Preflight shows key length in the DKIM check card when your DKIM TXT resolves.
How to rotate
Generate a new key in your provider dashboard, publish a new TXT, enable the new key, then remove the old key after ~48h — see DKIM key rotation.
Steps
Step 1 Run DNS Preflight and note DKIM key length
Step 2 In your provider dashboard, generate a new 2048-bit key
Step 3 Publish the new TXT at
selector._domainkeyStep 4 Enable signing with the new key after propagation
Step 5 Remove the old TXT after a safe overlap window (often 48+ hours)
Inspect DKIM DNS
Open DNS Preflight →FAQ
What does DKIM key length mean?
It is the RSA modulus size in bits for the public key in DNS.
How do I check current length?
DNS Preflight shows it when your selector TXT resolves.
What is the rotation process?
Publish new key, propagate, switch signing, retire old key — see rotation guide.
Does 1024 still work?
Some receivers may verify it, but you should rotate to 2048-bit promptly.
How long until rotation is safe?
Allow 24-48 hours for DNS; overlap keys during transition.