When you're setting up DKIM (DomainKeys Identified Mail), you'll come across several different tags in the signature header. Each tag has a specific purpose, from identifying the domain to specifying the signing algorithm. One of the most important, and sometimes confusing, tags is the one that defines the canonicalization algorithm.
The short answer is that the c= tag defines the canonicalization algorithm for both the email's header and body.
- Header canonicalization: This defines how the email headers are processed before being signed.
- Body canonicalization: This defines how the email body is processed before being signed.
This tag is crucial because email messages often undergo minor changes as they travel from the sender to the recipient. Mail servers in the middle can sometimes reformat headers or change whitespace, which would normally break a cryptographic signature. Canonicalization prevents this by standardizing the parts of the email before the signature is created and verified.
What is DKIM canonicalization?
Canonicalization is the process of converting data into a standard, or "canonical," format. In the context of DKIM, this means preparing the email's header and body in a predictable way so that the digital signature can be verified reliably, even if the message was slightly altered in transit.
Think of it like this: if you and a friend both agree to write down a specific phrase but one of you adds an extra space, your versions won't match exactly. Canonicalization is like agreeing beforehand to ignore all extra spaces. It ensures that insignificant changes don't cause the entire verification process to fail.
The two canonicalization algorithms
DKIM defines two main algorithms for canonicalization, as specified in the RFC 6376 standard: simple and relaxed. The c= tag can specify one for the header and one for the body, like c=relaxed/simple.
Simple algorithm
The simple algorithm is very strict. It tolerates almost no modification to the header or body. For the body, even changes to whitespace at the end of lines can cause the signature validation to fail. Because mail transfer agents (MTAs) frequently make these kinds of small changes, the simple algorithm is fragile and not recommended for most use cases.
Relaxed algorithm
The relaxed algorithm is, as the name suggests, more forgiving. It tolerates common email modifications, such as:
- Changes in whitespace (e.g., converting multiple spaces to a single space).
- Case changes in header field names.
- Wrapping long header lines.
For these reasons, c=relaxed/relaxed is the most commonly used and recommended setting. It provides the robustness needed for reliable email delivery in the real world while still protecting the message's integrity.
Why this choice matters
Choosing the wrong canonicalization algorithm can lead to unnecessary DKIM validation failures. If you use simple canonicalization, your legitimate emails might fail DKIM checks simply because a forwarding server added a footer or slightly reformatted a header. This can negatively impact your email deliverability and sender reputation.
In almost all situations, I recommend setting your DKIM signature to use c=relaxed/relaxed. This provides the best balance of security and reliability, ensuring your DKIM signatures survive the journey across the internet and are correctly validated by recipient servers.
