When setting up DKIM, you'll encounter a choice between 'simple' and 'relaxed' canonicalization for both the email's header and body. The short answer is that simple canonicalization is much stricter than relaxed canonicalization. This strictness is why it's rarely recommended.
Canonicalization is the process of converting an email into a standardized, or canonical, format before the cryptographic signature is applied. Because emails can be slightly modified in transit by mail servers, this process is crucial for ensuring the DKIM signature remains valid when it's checked by the recipient's server. The choice of algorithm determines how much modification is tolerated.
What is simple canonicalization?
The 'simple' algorithm is extremely rigid. As the name implies, its rules are straightforward, but they offer virtually no flexibility. Your DKIM record specifies which canonicalization to use with the c= tag, like c=simple/simple. The first value applies to the header and the second to the body.
- Simple Header Canonicalization: This algorithm tolerates no changes whatsoever to the email headers included in the signature. Any modification, such as a mail server adding a trace header, changing the case of a word, or even re-wrapping a long line, will cause the DKIM signature to fail verification.
- Simple Body Canonicalization: This is almost as strict. It primarily ignores empty lines at the very end of the email body but does not permit other changes, including alterations to whitespace within the content. A mail server that modifies line endings or whitespace can easily break the signature.
This extreme sensitivity is why most experts advise against using 'simple' canonicalization. The internet's email infrastructure involves many different systems, and slight, often benign, modifications are common. The strictness of simple canonicalization makes it a fragile choice that often leads to legitimate emails failing DKIM checks.
What is relaxed canonicalization?
Relaxed canonicalization is designed to be more resilient. It understands that certain types of modifications happen frequently during email transit and considers them acceptable, allowing the DKIM signature to remain valid.
- Relaxed Header Canonicalization: This algorithm is much more forgiving. It ignores changes in header field case (e.g., 'Subject:' vs 'subject:'), converts all whitespace to single spaces, and removes whitespace at the end of header lines.
- Relaxed Body Canonicalization: This method ignores all trailing whitespace, reduces sequences of internal whitespace (like multiple spaces) down to a single space, and ignores empty lines at the end of the message body. This makes it far more robust against changes made by mail servers or forwarding agents.
Which one should I use?
You should almost always use relaxed canonicalization for both the header and body: c=relaxed/relaxed. This setting provides the best defense against DKIM failures caused by minor, in-transit modifications that are outside of your control. Using 'simple' canonicalization exposes your emails to a high risk of failing validation, which can negatively impact your email deliverability.
The consensus is clear: 'simple' is too strict for the modern email ecosystem, while 'relaxed' provides the necessary flexibility to ensure your DKIM signatures survive the journey to the inbox. Unless you have a very specific, controlled environment where you can guarantee no modifications will occur, choosing 'relaxed' is the safest and most effective strategy for your email authentication.
What DMARC alignment mode is stricter: 'relaxed' or 'strict'?
Does DMARC 'relaxed' alignment match a subdomain to the organizational domain?
Does DMARC require both SPF and DKIM to pass?
Is the 'sp' tag mandatory in a DMARC record?
What is the role of the 'dkim-alignment' in DMARC?
What does the DKIM 's=' tag represent?
