De IETF RFC 4871 (grifo nosso):
3.3.3. Key Sizes
Selecting appropriate key sizes is a trade-off between cost, performance, and risk. Since short RSA keys more easily succumb to off-line attacks, signers MUST use RSA keys of at least 1024 bits for long-lived keys. Verifiers MUST be able to validate signatures with keys ranging from 512 bits to 2048 bits, and they MAY be able to validate signatures with larger keys. Verifier policies may use the length of the signing key as one metric for determining whether a signature is acceptable.
Factors that should influence the key size choice include the following:
The practical constraint that large (e.g., 4096 bit) keys may not fit within a 512-byte DNS UDP response packet
The security constraint that keys smaller than 1024 bits are subject to off-line attacks
Larger keys impose higher CPU costs to verify and sign email
Keys can be replaced on a regular basis, thus their lifetime can be relatively short
The security goals of this specification are modest compared to typical goals of other systems that employ digital signatures
See [RFC3766] for further discussion on selecting key sizes.