Our DKIM key is still 1024-bit, do we need to move to 2048?
1024-bit RSA for DKIM is no longer recommended. Google and Yahoo still accept it, but large receivers lower reputation and security audits flag it. 2048-bit is the practical standard and still fits a DNS TXT record if you split it correctly.
Try this first
- 1Generate a new 2048-bit DKIM key in your mail platform with a new selector, for example s2026 next to the existing s1.
- 2Publish the new selector as a TXT record. Many DNS providers split across the 255-character per-string limit automatically, but verify with dig txt s2026._domainkey.yourdomain.com that it assembles correctly.
- 3Switch outgoing signing in the mail platform to the new selector. Keep the old selector around for a few days so mail still in flight can be verified by receivers.
- 4Verify pass via tools like mail-tester.com, dkimvalidator.com or mxtoolbox.
- 5Remove the old selector after a week or two. Only then is the old key truly closed off against replay.
When to bring us in
If you run multiple ESPs or a self-hosted MTA next to Microsoft 365, sequencing matters: every sender must sign before you remove the old key from DNS.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.