Has any thought been giving to increasing the DKIM key size from 1024 to 2048? Reading through several sites spam policies, there seems to be a general consensus that 1024 is the minimum they will accept for a DKIM key. While I have not seen anyone claim it must be better, perhaps we should be a little forward looking and increase to 2048.
With that in mind, it seems going above 2048 presents another issue with the size of the DNS record. As such 2048 seems to be the best choice from an integrity standpoint.
I welcome any thoughts.
Can you look at what key sizes other major mail providers use?
This raised an interesting question so I have started looking through emails I have received to see what is out there. One thing that is apparent is DMARC is in use far more than DKIM is. I was kinds surprised how many emails do not have DKIM signatures.
gmail.com = 2048
aol.com = No DKIM / 1024 (Some have it, some don’t)
bellsouth.net = 1024
rr.com = No DKIM
yahoo.com = 1024
outlook.com = No DKIM
One other item I ran across in researching this more is that it is also recommended to rotate your keys from time to time. Three months is one recommendation, and it seems simple enough since you can spin up a new key, publish it is DNS with a different selector, and then after the DNS records expire retire the old key. The time one can wait to rotate is obviously based on the size of the key as well.
Okay let’s go to 2048. Please open an issue on github, or submit a PR.
You know what, I am going to try and figure out how to do the PR and make the change, this one should be pretty straight forward and will let me put my dusty coding hat on and have a little fun. Give me a bit to figure out Github and find the file where the key is being generated.
I hope I did this correctly, this was my first time using GitHub.