Suped

Does 'simple' canonicalization handle whitespace differences?

When you're setting up DKIM (DomainKeys Identified Mail), you'll encounter a crucial setting called canonicalization. This process creates a standardized, or 'canonical', version of your email's headers and body before they are digitally signed. The goal is to ensure the signature remains valid even if the email is slightly altered during transit, which happens more often than you might think.

The short answer to the question is no. The 'simple' canonicalization algorithm is extremely strict and does not tolerate most whitespace differences. Any minor change to whitespace in the signed parts of the email will likely cause the DKIM signature to fail verification.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What is 'simple' canonicalization in DKIM?

DKIM defines two canonicalization algorithms: 'simple' and 'relaxed'. The names are a bit misleading. 'Simple' is not simpler to use, it's just more rigid in its rules. It's designed to tolerate almost no modification to the email.

datatracker.ietf.org logo
IETF Datatracker says:
Visit website
The "simple" header canonicalization algorithm does not change header fields in any way. Header fields MUST NOT be reordered, and the names and values MUST NOT be changed.

For the email body, the 'simple' algorithm is almost as strict. It ignores any empty lines at the very end of the email body but considers any other change, including whitespace modifications within lines, to be a significant alteration. This means converting a tab to a space or adding a trailing space to a line will break the signature.

The problem with strictness

This extreme strictness is a major problem for email deliverability. As an email travels from the sender to the recipient, it passes through various Mail Transfer Agents (MTAs). These servers often make minor, seemingly harmless changes to the email's content.

www.metaspike.com logo
Metaspike says:
Visit website
The simple algorithm tolerates almost no modification. For the header, the simple algorithm presents the header fields to the signing algorithm “as is” without modification.

Common modifications that break 'simple' canonicalization include:

  • Changing how long header lines are wrapped.
  • Converting tabs to spaces or vice versa.
  • Altering line endings (for example, from CRLF to LF).
  • Adding promotional footers or disclaimers, which is common with mailing lists and some corporate gateways.

If you use 'simple' canonicalization, any of these changes will cause your DKIM check to fail, potentially harming your sender reputation and causing your emails to land in the spam folder or be rejected.

The alternative: 'relaxed' canonicalization

This is where 'relaxed' canonicalization comes in. It is designed specifically to withstand these common in-transit modifications. For example, the 'relaxed' algorithm for the body will:

  • Ignore all whitespace at the end of lines.
  • Reduce any sequence of one or more whitespace characters (like spaces and tabs) within a line to a single space.
  • Ignore empty lines at the end of the message body.

Relaxed header canonicalization performs similar normalizations, like converting header field names to lowercase and unfolding header lines. This makes the signature much more durable.

www.duocircle.com logo
DuoCircle says:
Visit website
The strictness of simple canonicalization makes it a less favorable option for domain owners. The majority of them do not want their emails to break because of insignificant modifications made by mail servers.

My recommendation

For virtually all senders, my recommendation is to use 'relaxed' canonicalization for both headers and the body. In your DKIM signature record, this is specified with the c= tag. The most robust and widely used setting is c=relaxed/relaxed.

While 'simple' might seem appealing by name, its rigidity makes it impractical for the modern email ecosystem. Choosing 'relaxed' ensures that your DKIM signatures are resilient to common changes, giving your emails the best chance of passing authentication checks and reaching the inbox.

Start improving your email deliverability today

Get started