DKIM keys with RSA 2048 are now recommended
Daniel Nashed – 1 February 2026 18:33:57
There are two type of DKIM keys you can use:
- RSA keys are the classical key type everyone supports
- Ed25519 keys are based on elliptic curve crypto and are much shorter length with better key strength.
Not every server supports Ed25519 keys yet. To ensure best compatibility.
You either have to stay with RSA keys or use dual key signing with an Ed25519 key and a RSA key.
Domino DKIM supports both key types and I am running dual keys.
Earlier the best practice was to use a RSA 1024 key as long it was sufficient strong.
Now some providers require RSA 2048 keys to be full compliant.
Why are RSA 2048 keys are a challenge
The maximum length for a DNS entry is 255 bytes. A RSA 1024 key and an Ed25519 key fit into a single entry.
But a RSA 2048 key needs to be split into multiple parts.
This is usually not a big deal -- but depends on your DNS provider interface.
- DNS TXT records need to be enclosed in quotes
- When splitting the DNS TXT record each part needs to be quoted on it's own.
How it looks like and how to query DKIM text records
nslookup -type=txt rsa20260201._domainkey.nashcom.de
rsa20260201._domainkey.nashcom.de text = "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzr/zFXV9H1HSC54U9qxSPsRNs/bngeNqJfTe8mV058hPnBPp5m2CBfAZZUHvQ1gB7pic5nUJ5rX7NuSWFB/W+9kf0UG92dLWKseUT6h7QoNIUlz0bOnNV1aji62ZUWEf1wL6iwLmbHwLYO0l8wUreoWtvwNpsnJqeW5YxSBNEHPW8EWFFtBkQ29m0xlToVJU1" "mm9Hexn9LLkDQko90naiFxkeZy84vTixmv8xIMQVlKxZi3Arwz/xdUrGPfFwQI6Uu3IMjKzHrlOeZA5tmqBdLRwvFisAuiCY2UudkJrRt0xPjC/tHCcYcKYjLcJaFa9YWHTG8aqeeg4ApVYcyZEPQIDAQAB;"
One DNS TXT Records with multiple parts
On first sight it might look like multiple records. But it is really one record with multiple parts.
Some DNS GUIs support just pasting a single quoted string and chunk it on their own.
But in many DNS GUIs you have to create the chunks on your own and add one DNS entries with those multiple quoted parts.
Using the Hetzner DNS interface you just specify multiple strings. The maximum length of each part without quotes is 255 bytes exactly as shown in my example above.
I added logic to the Hetzner DNS TXT API to split the record. The Hetzner API expects one entry with multiple strings like this:
{"name":"rsa20260201._domainkey","type":"TXT","ttl":60,"records":[{"value": "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzr/zFXV9H1HSC54U9qxSPsRNs/bngeNqJfTe8mV058hPnBPp5m2CBfAZZUHvQ1gB7pic5nUJ5rX7NuSWFB/W+9kf0UG92dLWKseUT6h7QoNIUlz0bOnNV1aji62ZUWEf1wL6iwLmbHwLYO0l8wUreoWtvwNpsnJqeW5YxSBNEHPW8EWFFtBkQ29m0xlToVJU1\" \"mm9Hexn9LLkDQko90naiFxkeZy84vTixmv8xIMQVlKxZi3Arwz/xdUrGPfFwQI6Uu3IMjKzHrlOeZA5tmqBdLRwvFisAuiCY2UudkJrRt0xPjC/tHCcYcKYjLcJaFa9YWHTG8aqeeg4ApVYcyZEPQIDAQAB;\"","comment":"Created by Domino CertMgr"}]}
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}