13

I wonder if I can simply use a 4096bit RSA key for DKIM (in DNS TXT Record).
Are there any downsides (neglecting computational effort)?
Maybe there are mail servers which can't handle a key this large?

Also: Is there any big mail provider which uses RSA keys larger than 2048bits? Google, Yahoo and Microsoft all seem to use 2048bit keys.

Florian Schneider
  • 293
  • 3
  • 8
  • Maybe [this](http://serverfault.com/questions/255580/how-do-i-enter-a-strong-long-dkim-key-into-dns) is of help. – gxx Jan 06 '16 at 18:51

1 Answers1

15

From IETF RFC 4871 (emphasis added):

3.3.3. Key Sizes

Selecting appropriate key sizes is a trade-off between cost, performance, and risk. Since short RSA keys more easily succumb to off-line attacks, signers MUST use RSA keys of at least 1024 bits for long-lived keys. Verifiers MUST be able to validate signatures with keys ranging from 512 bits to 2048 bits, and they MAY be able to validate signatures with larger keys. Verifier policies may use the length of the signing key as one metric for determining whether a signature is acceptable.

Factors that should influence the key size choice include the following:

  • The practical constraint that large (e.g., 4096 bit) keys may not fit within a 512-byte DNS UDP response packet

  • The security constraint that keys smaller than 1024 bits are subject to off-line attacks

  • Larger keys impose higher CPU costs to verify and sign email

  • Keys can be replaced on a regular basis, thus their lifetime can be relatively short

  • The security goals of this specification are modest compared to typical goals of other systems that employ digital signatures

See [RFC3766] for further discussion on selecting key sizes.

Michael
  • 173
  • 9
yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • 4
    Thank you. So I should not use a 4096bit key, as they are not mandatory to be supported by verifiers :) – Florian Schneider Jan 06 '16 at 19:09
  • @FlorianSchneider Rewrote my comment, just seen your update :) Yes, exactlyt :) (& some old router can have difficulty with such long DNS packet, as the RFC state the software may accept it, but even if it's, if the router reject it, you are blocked. It's why IMO that big mail provider all use 2048 key) – yagmoth555 Jan 06 '16 at 19:14
  • How about now? 2022? Still the same, or should I use the 4096 key now? – Alex May 06 '22 at 14:42
  • @Alex It still look all major brand still use 2048. Example; https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide – yagmoth555 May 06 '22 at 18:06
  • @Alex Another example is there; https://docs.microsoft.com/en-us/powershell/module/exchange/new-dkimsigningconfig?view=exchange-ps "The KeySize parameter specifies the size in bits of the public key that's used in the DKIM signing policy. Valid values are 1024 or 2048." – yagmoth555 May 06 '22 at 18:08
  • Thanks for the information. I've set the key to 4096 and sended my brother which uses hotmail a email and it arrived fine! Maybe there will be some providers who are not compatible yet, but I'm not using it for sending much email anyway, I receive more so it won't be much of a issue. – Alex May 07 '22 at 03:24