When you're setting up DKIM (DomainKeys Identified Mail), you'll encounter a setting called canonicalization. This setting defines how an email's headers and body are processed before being used to create the cryptographic signature. The goal is to create a standardized, or canonical, form of the email so that the signature can be verified even if the email is slightly altered in transit. There are two main types of canonicalization you can choose: simple and relaxed. A common question that comes up is how the relaxed algorithm handles whitespace, specifically trailing whitespace.
The short answer is yes, relaxed canonicalization for the body does remove trailing whitespace from each line. But the process is a bit more detailed than that, and understanding it is key to troubleshooting DKIM failures and ensuring your emails are authenticated correctly.
How relaxed canonicalization works
Relaxed canonicalization applies a set of rules to both the email's headers and its body to make the DKIM signature more resilient to changes made by mail servers. These servers often reformat emails, which can include altering whitespace, wrapping long lines, or changing header case. These modifications would break a signature created with simple canonicalization, which tolerates almost no changes.
Canonicalization for headers
For email headers, the relaxed algorithm performs several key actions:
- Lowercase conversion: It converts all header field names (the part before the colon, like "Subject") to lowercase.
- Whitespace reduction: It replaces any sequence of one or more whitespace characters within the header value with a single space.
- Trimming: It removes any whitespace around the colon that separates the header name and value.
Canonicalization for the body
This is where we get to the core of the question. The rules for the email body are specifically designed to handle common modifications made by forwarding mail servers. As noted by Metaspike in their article on leveraging DKIM in email forensics, the algorithm is quite aggressive in how it handles whitespace.
Here is what relaxed body canonicalization does:
- It reduces all sequences of whitespace (spaces and tabs) inside a line to a single space.
- It removes all trailing whitespace from the end of every line. This is the direct answer to our question. If a mail server adds extra spaces at the end of a line, relaxed canonicalization ensures it doesn't break the signature.
- It ignores any empty lines at the very end of the email body.
Why this matters for your email deliverability
The choice between simple and relaxed canonicalization is critical. Using simple is very brittle; almost any modification by a mail server will cause the DKIM signature to fail verification. This can harm your sender reputation and email deliverability.
Relaxed canonicalization is designed to ignore these common, benign changes, such as the addition of trailing whitespace. By using relaxed for both headers and the body (often written as c=relaxed/relaxed in the DKIM signature), you create a much more robust signature that is far more likely to validate successfully. This is why relaxed/relaxed is the recommended setting for virtually all senders.
What DMARC alignment mode is stricter: 'relaxed' or 'strict'?
Does DMARC 'relaxed' alignment match a subdomain to the organizational domain?
Is the 'sp' tag mandatory in a DMARC record?
Is 'relaxed' or 'simple' canonicalization more strict in DKIM?
What DKIM tag defines the canonicalization algorithm?
Does 'simple' canonicalization handle whitespace differences?
