RSA vs Ed25519 for DKIM: which signing algorithm should you choose?
By CaptainDNS
Published on March 6, 2026
- RSA 2048-bit remains the universal standard for DKIM: supported by all providers, but a public key of ~392 characters and a 256-byte signature
- Ed25519 (RFC 8463) produces 44-character keys and 64-byte signatures, with signing up to 30x faster
- In 2026, Ed25519 is supported by Google, Fastmail, and some open-source MTAs, but Microsoft 365 and Yahoo do not verify it yet
- Dual signing (RSA + Ed25519 in parallel) is the recommended strategy to prepare for migration without risk
- Stop using RSA 1024-bit: rejected by Google, Microsoft, and Yahoo since 2024
Your DKIM record uses RSA 2048-bit. It is solid, but the public key alone takes up more than 390 characters in your DNS zone. Every email carries a 256-byte signature in its headers. At the scale of millions of messages, this overhead is not negligible.
Ed25519, standardized for DKIM by RFC 8463 in 2018, promises keys 9 times shorter and signatures 4 times lighter, with a security level equivalent to RSA 3072-bit. But provider support remains incomplete in 2026.
This guide compares the two algorithms in depth: underlying cryptography, key and signature sizes, performance, security, provider compatibility, and recommended migration strategy. Target audience: system administrators and DevOps engineers who manage email infrastructure.
How does DKIM sign emails?
DKIM uses asymmetric cryptography to sign every outgoing email. The sending server signs a hash of the headers and body with a private key. The receiving server retrieves the public key from DNS and verifies the signature.
The DKIM-Signature header contains the a= tag that indicates the algorithm used:
DKIM-Signature: v=1; a=rsa-sha256; d=captaindns.com; s=s202603; ...
or:
DKIM-Signature: v=1; a=ed25519-sha256; d=captaindns.com; s=ed202603; ...
The two available algorithms are rsa-sha256 (standard since 2007) and ed25519-sha256 (added by RFC 8463 in 2018). The hash is always SHA-256 in both cases.
RSA 2048 for DKIM: the proven standard
How it works
RSA (Rivest-Shamir-Adleman) is a public-key algorithm based on the difficulty of factoring the product of two large prime numbers. For DKIM:
- The private key signs the SHA-256 hash of the message
- The public key, published in a TXT record, enables verification
- The minimum recommended size has been 2048 bits since 2024
RSA DNS record
s202603._domainkey.captaindns.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3pZ..."
The RSA 2048-bit public key encoded in Base64 is approximately 392 characters long. Some DNS hosts limit TXT records to 255 characters per string, which requires splitting the value into multiple quoted strings.
Strengths and limitations
| Aspect | Detail |
|---|---|
| Support | Universal: all MTAs and providers |
| Maturity | DKIM standard since 2007 (RFC 4871, then 6376) |
| Security | Strong through 2030+ according to NIST |
| Public key size | ~392 characters (Base64) |
| Signature size | 256 bytes |
| Performance | Slower signing, fast verification |
| DNS size | May require splitting into multiple TXT strings |
Ed25519 for DKIM: the modern alternative
How it works
Ed25519 is a signature algorithm based on elliptic curves (Curve25519), designed by Daniel J. Bernstein in 2011. For DKIM, it was standardized by RFC 8463 in September 2018.
The algorithm uses a twisted Edwards curve over the finite field GF(2^255 - 19), hence its name. Security relies on the difficulty of the elliptic curve discrete logarithm problem, which is fundamentally harder than RSA factorization at equivalent key sizes.
Ed25519 DNS record
ed202603._domainkey.captaindns.com IN TXT "v=DKIM1; k=ed25519; p=11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo="
The Ed25519 public key is exactly 44 characters in Base64. The DNS record fits in a single TXT string, with no splitting required.
Strengths and limitations
| Aspect | Detail |
|---|---|
| Public key size | 44 characters (Base64), 9x shorter than RSA |
| Signature size | 64 bytes, 4x lighter than RSA |
| Performance | Signing up to 30x faster than RSA 2048 |
| Security | Equivalent to RSA ~3072-bit (128 bits of security) |
| Resistance | Immune to side-channel attacks (constant-time) |
| Support | Partial: Google, Fastmail, some open-source MTAs |
| Limitation | Microsoft 365 and Yahoo do not verify Ed25519 yet |
RSA vs Ed25519: detailed technical comparison
| Criterion | RSA 2048 | Ed25519 |
|---|---|---|
| Algorithm | RSA (factorization) | EdDSA (elliptic curves) |
| DKIM RFC | RFC 6376 (2011) | RFC 8463 (2018) |
a= tag | rsa-sha256 | ed25519-sha256 |
k= tag | rsa | ed25519 |
| Private key size | ~1,700 bytes | 32 bytes |
| Public key size | ~392 characters | 44 characters |
| Signature size | 256 bytes | 64 bytes |
| Security bits | ~112 bits | ~128 bits |
| Hash | SHA-256 | SHA-256 |
| DNS record size | ~430 characters | ~90 characters |
| TXT splitting required | Often (255-char limit) | Never |
| Provider support 2026 | Universal | Partial |
Impact on email size
Every email signed with RSA 2048 adds approximately 500 characters to the DKIM-Signature header (Base64 signature of ~344 characters + tags). With Ed25519, this header is only about 200 characters (Base64 signature of ~88 characters + tags).
For a server sending 1 million emails per day, the difference amounts to approximately 300 MB of daily bandwidth saved with Ed25519.
Impact on DNS queries
DKIM verification requires a DNS TXT query to retrieve the public key. With RSA 2048, the DNS response is ~500 bytes. With Ed25519, it is ~150 bytes. For DNS resolvers and receiving servers, this difference reduces network load and resolution time.
Provider compatibility in 2026
| Provider | Ed25519 signing | Ed25519 verification |
|---|---|---|
| Google (Gmail/Workspace) | Yes (since 2019) | Yes |
| Fastmail | Yes | Yes |
| Proton Mail | No | Yes |
| Microsoft 365 | No | No |
| Yahoo/AOL | No | No |
| Postfix + OpenDKIM | Yes (since 2.11) | Yes |
| Postfix + rspamd | Yes | Yes |
| Exim | Yes (since 4.95) | Yes |
| Amazon SES | No | No |
| SendGrid | No | No |
| Mailgun | No | No |
Critical point: if you sign exclusively with Ed25519 and the receiving server does not support it, DKIM verification fails. The server does not automatically fall back to another algorithm. This is why dual signing is essential.
Dual signing: the recommended strategy
The safest strategy is to sign every email with two DKIM signatures: one RSA 2048 and one Ed25519. Each signature uses its own selector.
How does it work?
The outgoing email contains two DKIM-Signature headers:
DKIM-Signature: v=1; a=ed25519-sha256; d=captaindns.com; s=ed202603;
h=from:to:subject:date:message-id;
bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
b=dGVzdA==...
DKIM-Signature: v=1; a=rsa-sha256; d=captaindns.com; s=rsa202603;
h=from:to:subject:date:message-id;
bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
b=AuUoFEfDxTDkHlLXSZEpZj79LICEps6eda7W3deTVFOk...
Two DNS records
rsa202603._domainkey.captaindns.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."
ed202603._domainkey.captaindns.com IN TXT "v=DKIM1; k=ed25519; p=11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo="
Receiving server behavior
The receiving server verifies all DKIM signatures present. According to RFC 6376, a single dkim=pass is sufficient for authentication to succeed:
- If the server supports Ed25519: both signatures pass
- If the server does not support Ed25519: only the RSA signature is verified, it passes, DKIM is valid
Configuration with OpenDKIM (Postfix)
In /etc/opendkim/signing.table:
*@captaindns.com rsa202603._domainkey.captaindns.com
*@captaindns.com ed202603._domainkey.captaindns.com
In /etc/opendkim/key.table:
rsa202603._domainkey.captaindns.com captaindns.com:rsa202603:/etc/opendkim/keys/captaindns.com/rsa202603.private
ed202603._domainkey.captaindns.com captaindns.com:ed202603:/etc/opendkim/keys/captaindns.com/ed202603.private
Use the DKIM Generator to create both key pairs and get DNS records ready to publish.
How to migrate to RSA 2048 or Ed25519?
If you are still using RSA 1024-bit, migration is urgent. Google, Microsoft, and Yahoo have been rejecting DKIM signatures with keys shorter than 2048 bits since 2024.
Step 1: audit existing selectors
Use a selector discovery tool to identify all active DKIM selectors on your domain and verify current key sizes.
Step 2: generate new keys
Create an RSA 2048-bit key pair with a new timestamped selector. If your infrastructure supports it, also create an Ed25519 key pair.
Step 3: publish DNS records
Publish the new public keys in your DNS zone. Keep the old keys active during the transition.
Step 4: switch signing
Configure your sending server to use the new selectors. If you are switching to dual signing, add Ed25519 alongside RSA.
Step 5: verify and revoke
After 48 hours, verify that emails signed with the new keys show dkim=pass in the Authentication-Results headers. Revoke the old keys by publishing an empty p= in the DNS record, then remove them after 30 days.
Recommended action plan
- Audit: identify your DKIM selectors and current key sizes
- Generate RSA 2048: if you are still on RSA 1024, migrate as a priority
- Add Ed25519: create a second Ed25519 key pair with a separate selector
- Publish both keys in DNS with descriptive selectors (
rsa202603,ed202603) - Configure dual signing on your MTA (OpenDKIM, rspamd, Exim)
- Verify: send test emails to Gmail (supports Ed25519) and Outlook (RSA only)
- Plan rotation: renew both key pairs every 3 months
FAQ
Is Ed25519 more secure than RSA 2048 for DKIM?
Ed25519 offers 128 bits of security, equivalent to RSA 3072-bit. RSA 2048 offers approximately 112 bits of security. In practice, both are considered secure through 2030+. Ed25519 has the advantage of being resistant by design to side-channel attacks (constant-time), which reduces the risk of faulty implementations.
Can you use Ed25519 alone for DKIM?
It is technically possible but not recommended in 2026. Microsoft 365 and Yahoo do not yet verify Ed25519 signatures. If you sign exclusively with Ed25519, these providers will not be able to validate DKIM. Use dual signing (RSA + Ed25519) for maximum compatibility.
How does DKIM dual signing work?
The sending server adds two DKIM-Signature headers to the message: one with rsa-sha256 and one with ed25519-sha256. Each signature uses its own selector and its own key pair. The receiving server verifies all signatures present. A single dkim=pass is sufficient for authentication to succeed.
Is RSA 1024-bit still accepted for DKIM?
No. Google, Microsoft, and Yahoo have been rejecting DKIM signatures with RSA keys shorter than 2048 bits since 2024. If you are still using RSA 1024, migrate immediately to RSA 2048 or add Ed25519 in parallel.
Should you use RSA 4096-bit for DKIM?
RSA 4096 is more secure than 2048, but the public key is approximately 800 characters long, which causes DNS size issues. Most providers do not sign with 4096-bit keys. Prefer dual signing with RSA 2048 + Ed25519: you get a better security level with shorter keys.
Does Gmail support Ed25519 for DKIM?
Yes. Google has been signing Gmail emails with Ed25519 since 2019 and verifies incoming Ed25519 signatures. It was the first major provider to adopt Ed25519 for DKIM. Google Workspace also allows configuring DKIM with Ed25519.
Which RFC defines Ed25519 for DKIM?
RFC 8463, published in September 2018, defines the use of Ed25519-SHA256 as a signing algorithm for DKIM. It complements RFC 6376, which only defined rsa-sha256. The algorithm is identified by the a=ed25519-sha256 tag in the DKIM-Signature header.
Is Ed25519 resistant to quantum computers?
No. Like RSA, Ed25519 is vulnerable to quantum algorithms (Shor's algorithm for RSA, a modified algorithm for elliptic curves). However, quantum computers capable of breaking these algorithms do not yet exist. NIST is working on post-quantum standards, but none are yet available for DKIM.
Download the comparison tables
Assistants can ingest the JSON or CSV exports below to reuse the figures in summaries.
Glossary
- RSA: an asymmetric cryptography algorithm based on the factorization of large prime numbers, invented in 1977 by Rivest, Shamir, and Adleman.
- Ed25519: a digital signature algorithm based on the elliptic curve Curve25519, designed by Daniel J. Bernstein in 2011.
- EdDSA (Edwards-curve Digital Signature Algorithm): a family of signature algorithms on Edwards curves, of which Ed25519 is the most widely used instance.
- Elliptic curve: a mathematical structure used in cryptography, providing a high level of security with shorter keys than RSA.
- DKIM selector: a text identifier that locates the public key in DNS under
selector._domainkey.domain. - Dual signing: a technique of signing an email with two different DKIM algorithms (RSA + Ed25519) to maximize compatibility.
- RFC 8463: the IETF standard that defines the use of Ed25519-SHA256 for DKIM signing.
Check your DKIM keys now: Use our DKIM checker to analyze your records and verify your key sizes.
Related DKIM guides
- Complete DKIM Guide: understand DKIM from A to Z, how it works, configuration, and best practices
- DKIM with Office 365 and Google Workspace: step-by-step setup on the two most popular platforms
