When setting up DKIM, you'll encounter a choice between 'simple' and 'relaxed' canonicalization for both the email's header and body. The short answer is that simple canonicalization is much stricter than relaxed canonicalization. This strictness is why it's rarely recommended.
Canonicalization is the process of converting an email into a standardized, or canonical, format before the cryptographic signature is applied. Because emails can be slightly modified in transit by mail servers, this process is crucial for ensuring the DKIM signature remains valid when it's checked by the recipient's server. The choice of algorithm determines how much modification is tolerated.
The 'simple' algorithm is extremely rigid. As the name implies, its rules are straightforward, but they offer virtually no flexibility. Your DKIM record specifies which canonicalization to use with the c= tag, like c=simple/simple. The first value applies to the header and the second to the body.
This extreme sensitivity is why most experts advise against using 'simple' canonicalization. The internet's email infrastructure involves many different systems, and slight, often benign, modifications are common. The strictness of simple canonicalization makes it a fragile choice that often leads to legitimate emails failing DKIM checks.
Relaxed canonicalization is designed to be more resilient. It understands that certain types of modifications happen frequently during email transit and considers them acceptable, allowing the DKIM signature to remain valid.
You should almost always use relaxed canonicalization for both the header and body: c=relaxed/relaxed. This setting provides the best defense against DKIM failures caused by minor, in-transit modifications that are outside of your control. Using 'simple' canonicalization exposes your emails to a high risk of failing validation, which can negatively impact your email deliverability.
The consensus is clear: 'simple' is too strict for the modern email ecosystem, while 'relaxed' provides the necessary flexibility to ensure your DKIM signatures survive the journey to the inbox. Unless you have a very specific, controlled environment where you can guarantee no modifications will occur, choosing 'relaxed' is the safest and most effective strategy for your email authentication.
What DMARC alignment mode is stricter: 'relaxed' or 'strict'?
Does DMARC 'relaxed' alignment match a subdomain to the organizational domain?
Does DMARC require both SPF and DKIM to pass?
Is the 'sp' tag mandatory in a DMARC record?
What is the role of the 'dkim-alignment' in DMARC?
What does the DKIM 's=' tag represent?