DKIM 1024 vs 2048 bit keys
DKIM 1024 vs 2048 · DKIM key length · weak DKIM key
Why 2048-bit DKIM keys are preferred, when 1024-bit keys still appear, and how key length affects DNS TXT records.
Автор: DN01 Network Team
DKIM key length is a security and compatibility tradeoff: 2048-bit RSA is the modern baseline, while 1024-bit keys are increasingly treated as weak. DKIM подтверждает, что письмо подписано приватным ключом отправителя, а публичный ключ опубликован в DNS.
Some DNS providers or legacy setups mishandle long 2048-bit TXT records, causing teams to downgrade instead of fixing record publishing. Проверяйте точное имя селектор._domainkey.домен, потому что без селектора валидатор не знает, какой ключ должен использовать получатель.
Validate the key with /ru/dkim-validator and keep /ru/dns-checker nearby to confirm the full TXT value is visible from public resolvers. Сверьте наличие TXT, теги v/k/p/h/s/t, длину ключа, режим t=y и состояние revoked, затем сравните результат с DNS Checker.
Что проверить в первую очередь
Confirm that the selector is copied from the mail provider, not guessed from another domain or an old migration note.
Check whether the answer is a direct TXT record or a CNAME chain that eventually points at the DKIM TXT value.
Look at v=DKIM1, k=, p=, h=, s= and t= together. A record can exist but still be unusable when the public key is empty, malformed or too weak.
Типичные причины ошибки
The record was added to the wrong DNS provider, while the domain still delegates to another authoritative nameserver.
The selector changed during a provider migration, key rotation or domain re-verification, but an older selector is still being tested.
The TXT value was split or quoted incorrectly by a DNS editor, so receivers cannot reconstruct the base64 public key.
Как исправлять без риска
Publish the new key first, wait for DNS visibility, then switch signing in the provider console. Do not delete the old selector until delayed mail has cleared.
Use t=y only during rollout. Once signed mail verifies consistently, remove testing mode so DKIM sends a stronger production signal.
Keep DKIM checks next to SPF and DMARC checks. A valid DKIM key is one part of deliverability, not the whole authentication policy.
| Тег | Зачем нужен |
|---|---|
| v=DKIM1 | Identifies the TXT value as a DKIM record. |
| p= | Carries the public key; an empty value revokes the key. |
| k= | Declares the key type, commonly rsa or ed25519. |
| h= | Limits allowed hash algorithms such as sha256. |
| t= | Flags testing mode (y) or strict subdomain behavior (s). |
Частые вопросы
- Можно ли проверить DKIM без селектора?
No. DKIM records are selector-specific, so you need the selector from your provider or from a DKIM-Signature header.
- Почему DKIM запись найдена, но невалидна?
The TXT record may have a wrong version tag, duplicate tags, missing p=, invalid base64, a revoked empty key or a weak/malformed public key.
- Нужно ли хранить старый селектор?
Yes, keep it until TTLs and delayed mail queues clear. Removing it too early can break verification for messages already in transit.