When you're setting up email authentication, you'll encounter DomainKeys Identified Mail (DKIM). A DKIM signature is a complex string of tags and values added to an email's headers. These tags provide information that a receiving mail server uses to verify that the email hasn't been tampered with. One of the less understood but important tags in this signature is the c= tag, which stands for canonicalization.
Understanding these tags is crucial for ensuring your emails are authenticated correctly, which is a cornerstone of good email deliverability. A correctly configured DKIM record is a key part of the puzzle, alongside SPF and DMARC.
What is the DKIM 'c' tag?
The c= tag specifies the canonicalization algorithms applied to the email's header and body before they are cryptographically signed. In simple terms, canonicalization is a process of standardizing the email content into a consistent format. This is necessary because email servers can make small, often harmless, modifications to an email as it travels across the internet. These modifications, like adding or re-wrapping lines, can break the DKIM signature if not handled correctly.
The c= tag can have one or two values, separated by a slash (e.g., c=relaxed/simple). The first value applies to the email header, and the second applies to the body. If only one value is provided, it applies to the header, and the body defaults to simple.
The default value
According to RFC 6376, the official specification for DKIM, the default value for the 'c' tag is "simple/simple".
This means if the c= tag is omitted from the DKIM-Signature header, the signing process must behave as if c=simple/simple was specified.
Simple vs. relaxed canonicalization
The choice between simple and relaxed determines how tolerant the DKIM signature is to changes. Here’s a breakdown:
- Simple Canonicalization: This algorithm is very strict. It tolerates almost no modification to the header or body. Even minor changes, like converting whitespace or changing header case, will cause the signature verification to fail. This is why simple is fragile and often not recommended, especially for the header.
- Relaxed Canonicalization: This algorithm is more forgiving. For headers, it ignores changes in whitespace and converts all header field names to lowercase. For the body, it ignores whitespace at the end of lines, reduces multiple whitespace sequences to a single space, and ignores empty lines at the end of the message body. This makes it much more resilient to common modifications made by mail servers and forwarders.
Which canonicalization should you use?
For most senders, the recommended setting is c=relaxed/relaxed.
Using relaxed for both the header and body provides the best protection against signature failures caused by mail forwarders or intermediate mail transfer agents (MTAs). A mailing list, for example, might add a footer to an email, which would break a simple body signature but would likely be tolerated by a relaxed one.
Some large email providers use a mix. For instance, as seen in some Amazon SES configurations, they may use c=relaxed/simple. This provides resilience for header modifications while maintaining a stricter policy for the body content. However, unless you have a specific reason to use simple, sticking with relaxed/relaxed is the safest bet for reliable DKIM validation.
