Your DKIM key might be technically present and still fail Cyber Essentials

We ran our own domain, olimpio.io, through our scanner during testing. DKIM was set up. SPF was set up. Email authentication looked, on paper, like a solved problem. Then the scan flagged it anyway: the DKIM signing key was 1024-bit, and 1024-bit is weak.

That's the trap with DKIM specifically. Most guidance on email security stops at "do you have a DKIM record." It doesn't ask whether the key behind that record is actually strong enough to do its job. A business can have DKIM fully configured, technically passing every basic checker, and still be running a key length that's been considered insufficient for years.

What DKIM actually does, and why key length matters

DKIM, or DomainKeys Identified Mail, attaches a digital signature to outgoing email that proves the message genuinely came from your domain and wasn't altered in transit. The signature is created using a private cryptographic key, and the corresponding public key sits in your DNS records so receiving mail servers can verify it.

The strength of that signature depends on the key length, measured in bits. A 1024-bit RSA key was standard practice a decade ago. It isn't any more. Modern cryptographic guidance, including from the National Cyber Security Centre, recommends 2048-bit keys as the practical minimum, because 1024-bit keys are within reach of attackers with sufficient computing resources to potentially forge or crack the signature. The DKIM record still exists, the email still gets signed, but the guarantee behind that signature is weaker than it looks.

Why Cyber Essentials cares about this specifically

Cyber Essentials' Secure Configuration control isn't just asking whether a security measure exists. It's asking whether it's configured correctly. A DKIM record with a 1024-bit key technically satisfies "is DKIM configured," but it doesn't satisfy "is it configured securely," and that distinction is exactly what trips businesses up during assessment.

This is also why automated scanning catches things a simple yes/no self-assessment can't. Asking "do you have DKIM set up" gets a yes. Checking the actual key length behind that yes is a different question entirely, and it's the one that determines whether the configuration is genuinely sound.

How this usually happens

Nobody deliberately chooses a weak DKIM key. It happens because the key was generated years ago, when 1024-bit was the default in most setup guides and email platforms, and DKIM keys are not something anyone revisits once they're working. Unlike a certificate, there's no expiry date forcing a renewal. The key can sit there for a decade, signing every email the business sends, without anyone checking whether the standard it was generated under is still considered adequate.

It's also common after a migration. A business moves email providers, copies the old DKIM setup across to avoid breaking anything, and inherits a key length nobody chose deliberately the second time either.

How to check and fix your DKIM key length

Most DNS lookup tools will show you the raw DKIM TXT record for your selector, and the key length is encoded in that string, though it's not something you can read by eye easily. The more direct approach is asking your email provider or hosting platform to regenerate the DKIM key at 2048-bit, which most major providers, including Google Workspace and Microsoft 365, support natively in their admin settings.

Once the new key is generated, you'll update the DNS TXT record with the new public key, then verify the change has propagated before considering it done. Don't delete the old DKIM selector immediately. Run both in parallel briefly if your provider supports it, so any email already in transit doesn't fail verification mid-transition.

Olimpio's CE Readiness checklist flags this exact finding automatically when it shows up on a scan, severity-ranked alongside everything else under CE2 Secure Configuration, so it's not something you have to go hunting for manually after the fact.

Frequently asked questions

Will a weak DKIM key stop my emails from being delivered? Not immediately. Most receiving servers will still accept and verify a 1024-bit signature today, but that's changing as major providers tighten their requirements, and a weak key gives less protection against forged email in the meantime.

How do I know what bit length my current DKIM key is? Check your email provider's DKIM settings page, which usually states the key length directly, or ask whoever set up your DNS records originally if you're not sure who configured it.

Does upgrading my DKIM key affect my existing SPF or DMARC setup? No, they're independent records. Upgrading DKIM key strength doesn't touch your SPF record or DMARC policy, though all three work together as part of the same email authentication picture.

Can I just generate a new DKIM key myself without my email provider? Technically yes if you control your own mail server, but for businesses using Google Workspace, Microsoft 365, or similar hosted platforms, the key generation happens through the provider's settings, not manually.

How often should DKIM keys be rotated? There's no fixed Cyber Essentials requirement for rotation frequency, but generating a fresh 2048-bit key during any email platform migration, and periodically as good practice, is sensible.

Run a free scan of your domain and you'll see your actual DKIM key strength alongside everything else Cyber Essentials checks, with your CE Readiness checklist ready before your assessor asks: olimpio.io/free-scan