Hello,
In the filter-dkimsign readme I suggest to use 2048 and I stand by it.
Thanks for mentioning and coding filter-dkimsign! Somehow I was unaware of it. I used rspamd just for DKIM. Which is overkill. The daemon racks up nearly 28000 daily DNS requests to free services (like dnswl.org, senderscore.com, spamhaus.org etc.) just by running. (I didn't use it as an inbound filter. I overwrote rbl.conf. I have no clue what it is doing.) So I switched to filter-dkimsign.
I also switched to a 2048 bits key. Which looks good so far. Ironically only dkimvalidator.com had a problem verifying until I relaxed the canonicalization algorithms. (Other tests like mail-tester.com or github.com/lieser/dkim_verifier had no problem with it being simple.)
