2048 bit DKIM key: Improved safety in your e-mail program

With the myriad of malicious actors involved in email, valid senders must do whatever it takes to prove their identity. One of the ways senders can authenticate their identity is through DomainKeys Identified Mail (DKIM), a cryptographic technology that uses a public key and a private key to check whether the sender of the e-mail is responsible for the corresponding domain.

For years the standard key length was 1024-bit DKIM keys, but hackers continue to develop new methods of cracking DKIM keys.

We are happy to announce that Twilio SendGrid now uses 2048-bit keys!

As a result, the National Institute for Standards and Technology (NIST) recommends 2048-bit keys. To ensure that our senders have the best possible protection, we are happy to inform you that Twilio SendGrid now uses 2048-bit keys.

1024 bit vs. 2048 bit DKIM key

1024 bit DKIM refers to the key length of 1024 characters. The longer the key length, the more difficult it is for hackers to crack the DKIM key. For a few years the standard was 512 bits, but it became very clear that the 512 bit keys were vulnerable and easy to crack.

1024 bits is far more secure, but staying one step ahead when it comes to securing your email is incredibly important. Many experts believe that 1024 bits will become vulnerable in the next few years.

Enter 2048-bit key. With twice the key length, 2048-bit keys offer improved protection against manipulation with the strongest signature for the automated authentication of security domains. In the next few years, 2048-bit keys will be considered secure against forms of cryptographic attacks.

Is 2048 bit widely supported?

This is a common question because the key length is twice that of 1024-bit keys. Some Domain Name System (DNS) providers have character limits, although most fully support the key length of 2048-bit keys. Some of the DNS providers that don’t support 2048-bit keys have unique workarounds, so it’s worth reaching out to them to discuss different solutions.

Set up 2048-bit DKIM keys for your Twilio SendGrid account

Whenever a new DKIM key is created in your Twilio SendGrid account via automatic security, it is a 2048-bit key. A new DKIM key is created when a new selector is used.

However available Domain authentication configurations and Selectors does not change automatically. For example:

• If you create a new domain authentication that uses the same standard s1 selector as a previous 1024-bit key, the 1024-bit key is reused.
• If you have an existing 1024-bit key, when you create the new domain authentication you will need to select a custom unused selector to generate a new 2048-bit key.

In your Twilio SendGrid account, go to Settings and Sender Authentication to create or update your DKIM key (as shown in the image below).

Exception: manual security does not use 2048 bits

Manual security domain authentication on your Twilio SendGrid account will still use 1024-bit keys, even if it is a brand new domain authentication. 2048-bit DKIM keys are not always supported by DNS provider because of their length. If a user implements manual security, we ask them to put the raw DKIM key on their provider so there is a risk that their provider will not accept it.

When a user sets up automatic security, Twilio SendGrid stores the DKIM key with our DNS provider (which we know supports 2048-bit DKIM keys) and the user points their DNS to our DNS.

For more information on setting up 2048-bit keys for your account, see our Articles on documents, Migration to 2048 Bit DomainKeys Identified Mail (DKIM).

Protect your e-mail program with 2048-bit keys

Unfortunately, hackers won’t go away anytime soon. Brands need to stay ahead of bad actors at all times to keep their email safe. Implementing 2048-bit DKIM keys ensures that you take all necessary steps to protect your domain and your email reputation.

Learn how to Set up 2048-bit key for your Twilio SendGrid account or learn more about Account security best practices.