ValidEmailChecker

What key length does the Valid Email Checker DKIM Generator use?

Last updated May 19, 2026Free tools

The Valid Email Checker DKIM Record Generator defaults to 2048-bit RSA and gives you a single toggle to switch to 4096-bit RSA if you want extra strength. 1024-bit is deliberately not offered — it has been considered cryptographically weak for several years and Gmail, Microsoft, and Yahoo all warn against it. Anything under 2048 in 2026 is leaving deliverability and security on the table.

Why 2048-bit is the default

  • Universal compatibility. Every modern receiving server supports 2048-bit RSA without complaint. There are no edge cases.
  • Fits in a single TXT record. A 2048-bit public key, base64-encoded, is roughly 400 characters. DNS TXT records cap each string at 255 characters, so a 2048-bit record spans two strings — which every resolver handles. A 4096-bit key is closer to 800 characters and spans three or four strings.
  • Strong against current attacks. 2048-bit RSA is the same key length used for TLS server certificates on most of the web. Breaking it is not feasible with current hardware.
  • Fast to generate. Browser-side generation in the Web Crypto API takes well under a second at 2048-bit. 4096-bit takes a few seconds on slower devices.

When 4096-bit makes sense

Pick 4096-bit if you have a compliance requirement (some government and healthcare standards specify 4096 as a minimum) or if you want longer-term cryptographic margin against future computing advances. The downside is the larger DNS record — some older DNS providers and a small number of receiving mail servers historically had trouble with multi-string TXT records. In 2026 this is rare, but if you publish a 4096-bit DKIM record and certain mail platforms refuse to verify it, the fallback is to regenerate at 2048-bit.

Why we do not offer 1024-bit

1024-bit RSA was the DKIM standard until roughly 2013. Since then, advances in integer factorization and the cost of cloud compute have made 1024-bit key recovery uncomfortably plausible for well-funded attackers. Gmail flagged 1024-bit DKIM as a deliverability negative in 2016, and Google, Microsoft, and Yahoo's 2024 sender requirements explicitly require 2048-bit or higher for high-volume senders. Offering 1024 here would be giving users a foot-gun.

Key rotation

DKIM best practice is to rotate keys every 6-12 months. The generator makes this trivial — generate a new key with a new selector (e.g. bump mail2026 to mail2026-q4), publish it, update your ESP to sign with the new key, then remove the old TXT record once you have confirmed no in-flight mail still uses it. The DKIM Record Checker verifies the new record is live before you cut over.

ECC keys (Ed25519)
DKIM supports Ed25519 in RFC 8463, but receiver support is still patchy in 2026. The Valid Email Checker generator only emits RSA keys to maximize compatibility. If you need Ed25519, use openssl on the command line and publish the record manually.

Related questions

How do I use the DKIM Record Generator tool?
How do I use the DKIM Record Checker tool?
Which DKIM selector should I enter in the DKIM Checker?
What free email tools does Valid Email Checker offer?
Back to all FAQs

Still stuck? Email support