create 4096-bit DKIM keys with Mailcow

Cisco30

hi
in the mailcow settings you can create DKIM keys of 2048 bits max,
Is there a way to generate 4096 bit keys? THANKS

esackbauer

This is not recommended:
https://www.dkim.org/specs/rfc4871-dkimbase.html

The practical constraint that large (e.g., 4096 bit) keys may not fit within a 512-byte DNS UDP response packet
Verifiers MUST be able to validate signatures with keys ranging from 512 bits to 2048 bits, and they MAY be able to validate signatures with larger keys.

accolon

RFC 4871 was obsoleted by RFC 6376 in 2011, which was updated by RFC 8301 in 2018.

While the statement about the possible length constraints still holds, the key sizes have changed:

Signers SHOULD use RSA keys of at least 2048 bits.
Verifiers MUST be able to validate signatures with keys ranging from
1024 bits to 4096 bits, and they MAY be able to validate signatures
with larger keys.

4096 bit is still not required for security reasons, but it should be usable by now. Personally, I’d go with 2048.

Cisco30

accolon 4096 bit is still not required for security reasons, but it should be usable by now. Personally, I’d go with 2048.

thank you for the information