hi
in the mailcow settings you can create DKIM keys of 2048 bits max,
Is there a way to generate 4096 bit keys? THANKS

  • RFC 4871 was obsoleted by RFC 6376 in 2011, which was updated by RFC 8301 in 2018.

    While the statement about the possible length constraints still holds, the key sizes have changed:

    Signers SHOULD use RSA keys of at least 2048 bits.
    Verifiers MUST be able to validate signatures with keys ranging from
    1024 bits to 4096 bits, and they MAY be able to validate signatures
    with larger keys.

    4096 bit is still not required for security reasons, but it should be usable by now. Personally, I’d go with 2048.

This is not recommended:
DomainKeys Identified Mail (DKIM) Signatures

dkim.org
DomainKeys Identified Mail (DKIM) Signatures

The practical constraint that large (e.g., 4096 bit) keys may not fit within a 512-byte DNS UDP response packet
Verifiers MUST be able to validate signatures with keys ranging from 512 bits to 2048 bits, and they MAY be able to validate signatures with larger keys.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

RFC 4871 was obsoleted by IETF Datatracker Icon RFC 6376

IETF Datatracker Icon IETF Datatracker
RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author's organization, an operational relay, or one of their agents. DKIM separates the
Logo of the IETF
in 2011, which was updated by IETF Datatracker Icon RFC 8301
IETF Datatracker Icon IETF Datatracker
RFC 8301: Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM)
The cryptographic algorithm and key size requirements included when DomainKeys Identified Mail (DKIM) was designed a decade ago are functionally obsolete and in need of immediate revision. This document updates DKIM requirements to those minimally suitable for operation with currently specified
Logo of the IETF
 in 2018.

While the statement about the possible length constraints still holds, the key sizes have changed:

Signers SHOULD use RSA keys of at least 2048 bits.
Verifiers MUST be able to validate signatures with keys ranging from
1024 bits to 4096 bits, and they MAY be able to validate signatures
with larger keys.

4096 bit is still not required for security reasons, but it should be usable by now. Personally, I’d go with 2048.

    accolon 4096 bit is still not required for security reasons, but it should be usable by now. Personally, I’d go with 2048.

    thank you for the information

      No one is typing