# Do I need 2048-bit DKIM?

> How DKIM key size is handled in MailBlastr — it generates a 2048-bit key pair for you and you publish one DKIM TXT record holding the public key, so there is no size to choose.

Short answer: you do not need to think about DKIM key size at all — MailBlastr already uses a strong **2048-bit** key. MailBlastr generates an RSA key pair for your domain, uses the private key to sign your mail, and gives you **one DKIM TXT record** holding the public key to publish. The size is fixed at 2048 bits; there is no choice to make.

This is the "BYO DKIM" model: the public key lives in a TXT record on your domain (`v=DKIM1; k=rsa; p=...`) rather than being delegated to the provider with CNAMEs. MailBlastr handles the key generation for you, so the only thing you do is paste the one TXT value.

## The DKIM record MailBlastr generates

There is a single DKIM record: a TXT at a fixed selector hostname on your domain, holding the public half of the 2048-bit key pair MailBlastr generated.

**DKIM — TXT**

| Name | Type | Required | Description |
| --- | --- | --- | --- |
| `Type` | TXT | No | A single DKIM key record. |
| `Name` | mailblastr._domainkey.yourdomain.com | No | The DKIM selector hostname. `mailblastr` is the fixed selector MailBlastr uses. |
| `Value` | v=DKIM1; k=rsa; p=<public key> | No | The RFC 6376 DKIM key record holding your domain’s 2048-bit public key. |
| `TTL` | Auto | No | Provider default; MailBlastr does not require a specific TTL. |

## Why a single TXT record

- **Strong keys by default.** MailBlastr signs with a 2048-bit key — you inherit that strength without choosing or managing it.
- **Nothing to generate.** MailBlastr creates the key pair and holds the private key; you only publish the public key in one TXT record.
- **Paste it exactly.** The public key is a long base64 string, so copy the value verbatim — a truncated, wrapped, or re-quoted value will block verification.

## 1024-bit vs 2048-bit, if you’re wondering

A frequent question is whether you need a **2048-bit** DKIM key. MailBlastr already uses 2048-bit, so you are covered — but the background, for completeness:

**1024-bit is RFC-compliant.** [RFC 8301 §3.2](https://datatracker.ietf.org/doc/html/rfc8301#section-3.2) sets 1024 bits as the minimum verifiers must support and the recommended floor for signers. Gmail, Outlook, Yahoo, and Apple all accept 1024-bit DKIM signatures, and 1024-bit remains widely used for transactional and marketing mail.

**It meets the bulk-sender requirements.** The 2024 Google / Yahoo / Microsoft requirements (for anyone sending more than 5,000 messages a day to their users) require DKIM alongside SPF and DMARC, but **none of them mandate a specific key length** — and 2048-bit comfortably satisfies them.

|  | 1024-bit | 2048-bit (MailBlastr default) |
| --- | --- | --- |
| Security | Meets current RFC recommendations for email signing. | Larger cryptographic margin / future-proofing. |
| Performance | Faster signing and verification. | More resources per message; negligible at normal volumes. |
| DNS compatibility | Fits comfortably in a single TXT record. | Longer public key — some DNS providers wrap the value; paste it exactly as shown. |
| Deliverability | No penalty. | No downside — and you get the stronger key automatically. |

> **Note:** The 2048-bit public key is a long value. If your DNS provider rejects or wraps long TXT records, paste the value exactly as MailBlastr shows it — do not add quotes or line breaks. See [What if my domain isn’t verifying?](https://www.mailblastr.com/docs/kb/domain-not-verifying).
