What is the primary difference between simple and relaxed DKIM canonicalization?

Simple canonicalization is highly strict, requiring an email's header and body to be nearly identical to the signed version. Relaxed canonicalization is more lenient, tolerating minor changes like whitespace modifications or header field reordering, which are common during email transit.

Which DKIM canonicalization mode should I use for my domain?

For most domains, relaxed canonicalization (c=relaxed/relaxed) is recommended. It provides better deliverability by preventing legitimate emails from failing authentication due to minor modifications by intermediaries, while still offering strong protection when combined with DMARC.

Can choosing the wrong canonicalization affect DMARC alignment?

Yes, choosing simple canonicalization can easily lead to DKIM authentication failures, which in turn causes DKIM alignment failures in DMARC . This can result in your emails being marked as spam or rejected, even if they are legitimate.

What happens if a DKIM signature fails due to canonicalization issues?

If a DKIM signature fails verification, the receiving server might flag the email as suspicious, mark it as spam, or reject it outright. Under a DMARC policy, a failed DKIM authentication (especially with an alignment failure) can lead to the email being quarantined or rejected, depending on your DMARC policy setting .

Is 'relaxed' or 'simple' canonicalization more strict in DKIM? - DKIM - Email authentication - Knowledge base

An email security expert examining the complexities of DKIM canonicalization, distinguishing between strict 'simple' and flexible 'relaxed' modes for email headers and bodies.

When setting up or troubleshooting email authentication issues, you'll often encounter the concept of DKIM canonicalization. This crucial setting dictates how strictly a receiving mail server should interpret changes to an email's header and body during transit. It's a key factor in whether your DKIM signature remains valid, directly impacting your email deliverability and DMARC alignment.

The choice between 'simple' and 'relaxed' canonicalization modes is not merely technical, it has significant practical implications for how your emails are handled by various email service providers (ESPs) and mail transfer agents (MTAs). Understanding the differences is vital for anyone managing email infrastructure or aiming for optimal inbox placement.

This guide will delve into both modes, clarify which one is stricter, and provide insights into making an informed decision for your domain's email authentication strategy.

What is DKIM canonicalization?

Canonicalization in

DKIM (DomainKeys Identified Mail) refers to the process of standardizing the email's header and body before generating and verifying the DKIM signature. The email's content, including headers and the body, can undergo minor modifications during transit. These changes, such as modifying whitespace, rewrapping lines, or altering header field order, could invalidate a DKIM signature if not handled correctly.

The primary goal of canonicalization is to define what types of modifications are permissible without invalidating the DKIM signature. Without a canonicalization method, even the slightest, harmless change would cause the signature verification to fail, leading to legitimate emails being flagged as suspicious or spam.

DKIM provides two canonicalization algorithms: 'simple' and 'relaxed'. These apply independently to the email header and the email body. You'll often see them specified in a DKIM record as c=header/body, for example, c=relaxed/simple. The choice significantly impacts how tolerant the signature verification process is to changes.

This mechanism is crucial for the interoperability of email systems, allowing emails to pass through various intermediaries, like mailing lists or forwarders, without their legitimate DKIM signatures being broken. It’s a delicate balance between maintaining the integrity of the message and accommodating the realities of email transmission.

Simple canonicalization: the stricter choice

To answer the question directly, simple canonicalization is the stricter of the two DKIM modes. It demands that both the email header and body remain almost identical to their original state from when the signature was created. Any deviation, even a single change in whitespace, will cause the DKIM signature to fail verification.

Strict rules for simple canonicalization

Header: No modifications allowed to header field names or values. Any change in case, whitespace, or order will invalidate the signature.
Body: Requires the body to be virtually identical. Any change in whitespace, including extra empty lines at the end of the message, will lead to failure.

This strictness, while theoretically offering the highest level of tamper detection, often proves impractical in the real world. Many legitimate email operations, such as forwarding emails, adding footers, or even some mailing list software, can introduce minor, non-malicious modifications to an email. With simple canonicalization, these common alterations frequently result in a DKIM signature failure. One of the common issues is the c=simple/simple canonicalization leading to a DKIM temperror.

While simple canonicalization is theoretically more secure against malicious tampering, its inflexibility often makes it a poor choice for most email senders. It increases the likelihood of legitimate emails failing DKIM authentication, which can negatively impact your sender reputation and lead to emails being sent to spam folders or even rejected.

Relaxed canonicalization: the flexible option

In contrast to simple canonicalization, relaxed canonicalization is the more lenient option. It's designed to tolerate common, legitimate modifications that emails undergo during transit. This flexibility significantly reduces the chances of valid emails failing DKIM authentication due to minor formatting changes.

Relaxed header canonicalization

Whitespace: It ignores all whitespace at the beginning and end of header fields and replaces sequences of internal whitespace with a single space.
Case sensitivity: It treats header field names as case-insensitive.
Folding: Unfolds (removes) header line wraps.

Relaxed body canonicalization

Whitespace: It ignores all trailing whitespace at the end of lines and reduces sequences of whitespace within lines to a single space.
Empty lines: It ignores all empty lines at the end of the message body.

The leniency of relaxed canonicalization makes it the recommended choice for most senders. It ensures that emails are authenticated successfully even if they pass through systems that introduce minor, harmless changes. This is particularly important for emails that are forwarded, processed by mailing list software, or handled by various MTAs before reaching their final destination. More details on why relaxed is better can be found here.

While relaxed canonicalization offers greater resilience, it's worth noting that it provides slightly less protection against malicious tampering than simple mode. However, for most organizations, the trade-off is well worth it, as the increased deliverability outweighs the minor theoretical reduction in security. The overall email authentication ecosystem, including DMARC, is designed to work effectively with relaxed canonicalization.

Choosing the right canonicalization mode

When deciding between simple and relaxed canonicalization, consider the journey your emails take. If your emails are processed by multiple intermediaries, such as marketing automation platforms or ticketing systems that might alter the message subtly, relaxed canonicalization is almost always the better choice. It minimizes the risk of legitimate emails failing DKIM validation due to formatting changes. The Stack Overflow community also discusses this here.

A visual metaphor showing two email paths: a strict, linear path for simple canonicalization and a more flexible, meandering path for relaxed canonicalization, illustrating their different tolerances.

Feature	Simple canonicalization	Relaxed canonicalization
Strictness	Extremely strict, almost zero tolerance for modifications.	Lenient, tolerates common, minor modifications.
Impact on deliverability	Higher risk of breaking DKIM, leading to lower deliverability.	Lower risk of breaking DKIM, improving deliverability.
Recommended use	Rarely recommended for most senders.	Standard recommendation for most email flows.
DMARC alignment	Can easily break DKIM alignment for DMARC.	Supports robust DKIM alignment even with minor changes.

For nearly all use cases, you should implement relaxed/relaxed canonicalization to maximize deliverability and ensure DMARC compliance. This setting provides the necessary flexibility for emails to traverse the internet without invalidating their signatures, while still offering strong protection against spoofing and phishing attacks when combined with DMARC.

Summary and best practices

In the world of DKIM, 'simple' canonicalization is undeniably the stricter mode, demanding almost pixel-perfect preservation of email headers and bodies. While this offers theoretical maximum protection against tampering, it often leads to legitimate emails failing authentication due to common, harmless modifications introduced by intermediaries.

Conversely, 'relaxed' canonicalization is the more flexible and practical choice. It intelligently tolerates minor whitespace and formatting changes, ensuring that your DKIM signatures remain valid and your emails consistently reach the inbox. This flexibility is crucial for maintaining good email deliverability in today's complex email ecosystem, especially when considering DMARC alignment modes.

For most organizations, employing relaxed/relaxed canonicalization for your DKIM records is the best practice. This approach balances robust authentication with the realities of email transmission, providing effective protection without hindering deliverability. To monitor your DKIM authentication and ensure optimal email health, I recommend using Suped's DMARC monitoring platform. Our tool provides real-time alerts and AI-powered recommendations to help you fix any DKIM or DMARC issues efficiently, including SPF flattening, blocklist monitoring, and a unified view of your email security.