Signer using a key larger then 2048 (like I do for years now) aren't
inside the specification because there is no MUST on the validation
side.
From operational perspective I experience no drawback using 4k RSA
keys for DKIM.
I'm not surprised that 4K keys work. Most crypto software can handle
abitrary key sizes. The most likely issue would be that the TXT records
don't fit in a 512 byte response packet which is a problem for some cruddy
middleboxes.
Could you explain what problem you believe needs 4K rather than 2K keys?
DKIM is not PGP or S/MIME and is not intended for long term protection of
confidential data. It's just a short term assurance that a particular
message in transit was signed by a particular signer.
I rotate my keys every month, which appears to be the shortest DKIM
rotation time in the world. Most people do it every six months or a year.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html