Hello,
I only recently started to use DKIM and DMARC. (Yesterday to be
exact. Now mails to Gmail go to the inbox and not the spam-folder.
Which is nice.) I started with a 1024 bits RSA key.
I followed
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
and
https://prefetch.eu/blog/2020/email-server/#dkim
poolp.org talks in length about why to use a 1024 bits key in order
not to truncate the DNS TXT record.
prefetch.eu uses 2048 bits and talks shortly about why not to use
something bigger. (Which makes sense, since RFC 6376 says that up to
2048 bits MUST be supported and larger keys only MAY be.)
Microsoft 365 talks about that 1024 and 2048 bitness is supported,
but defaults to 1024.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide#manually-upgrade-your-1024-bit-keys-to-2048-bit-dkim-encryption-keys
Google Workspace recommends a key with 2048 bits, if your domain
host can manage it.
https://support.google.com/a/answer/174126
I guess my question is: Is the problem with a truncate the DNS TXT
record, as described on poolp.org still a think to worry about, or
have think improved since 2019 and one can unhesitatingly use a 2048
bits key?
Thanks for reading
- What DKIM RSA key length to use Thomas Bohl
- Re: What DKIM RSA key length to use Martijn van Duren
- Re: What DKIM RSA key length to use Thomas Bohl
- Re: What DKIM RSA key length to use Martijn van Duren
- Re: What DKIM RSA key length to use Thomas Bohl