When you're setting up DKIM (DomainKeys Identified Mail), you'll encounter a crucial setting called canonicalization. This process creates a standardized, or 'canonical', version of your email's headers and body before they are digitally signed. The goal is to ensure the signature remains valid even if the email is slightly altered during transit, which happens more often than you might think.
The short answer to the question is no. The 'simple' canonicalization algorithm is extremely strict and does not tolerate most whitespace differences. Any minor change to whitespace in the signed parts of the email will likely cause the DKIM signature to fail verification.
What is 'simple' canonicalization in DKIM?
DKIM defines two canonicalization algorithms: 'simple' and 'relaxed'. The names are a bit misleading. 'Simple' is not simpler to use, it's just more rigid in its rules. It's designed to tolerate almost no modification to the email.
For the email body, the 'simple' algorithm is almost as strict. It ignores any empty lines at the very end of the email body but considers any other change, including whitespace modifications within lines, to be a significant alteration. This means converting a tab to a space or adding a trailing space to a line will break the signature.
The problem with strictness
This extreme strictness is a major problem for email deliverability. As an email travels from the sender to the recipient, it passes through various Mail Transfer Agents (MTAs). These servers often make minor, seemingly harmless changes to the email's content.
Common modifications that break 'simple' canonicalization include:
- Changing how long header lines are wrapped.
- Converting tabs to spaces or vice versa.
- Altering line endings (for example, from CRLF to LF).
- Adding promotional footers or disclaimers, which is common with mailing lists and some corporate gateways.
If you use 'simple' canonicalization, any of these changes will cause your DKIM check to fail, potentially harming your sender reputation and causing your emails to land in the spam folder or be rejected.
The alternative: 'relaxed' canonicalization
This is where 'relaxed' canonicalization comes in. It is designed specifically to withstand these common in-transit modifications. For example, the 'relaxed' algorithm for the body will:
- Ignore all whitespace at the end of lines.
- Reduce any sequence of one or more whitespace characters (like spaces and tabs) within a line to a single space.
- Ignore empty lines at the end of the message body.
Relaxed header canonicalization performs similar normalizations, like converting header field names to lowercase and unfolding header lines. This makes the signature much more durable.
My recommendation
For virtually all senders, my recommendation is to use 'relaxed' canonicalization for both headers and the body. In your DKIM signature record, this is specified with the c= tag. The most robust and widely used setting is c=relaxed/relaxed.
While 'simple' might seem appealing by name, its rigidity makes it impractical for the modern email ecosystem. Choosing 'relaxed' ensures that your DKIM signatures are resilient to common changes, giving your emails the best chance of passing authentication checks and reaching the inbox.
What DMARC alignment mode is stricter: 'relaxed' or 'strict'?
Does DMARC 'relaxed' alignment match a subdomain to the organizational domain?
Is the 'sp' tag mandatory in a DMARC record?
Does a DMARC 'v=DMARC1' tag validate the version?
Is 'relaxed' or 'simple' canonicalization more strict in DKIM?
What DKIM tag defines the canonicalization algorithm?
