DKIM Canonicalization: Simple vs Relaxed
Understand what DKIM canonicalization is, how the c= tag works, and why relaxed/relaxed is the recommended setting for reliable email authentication.
Last updated: 2026-05-25
If you've looked closely at a DKIM (DomainKeys Identified Mail) signature, you may have noticed the c= tag with values like "relaxed/relaxed" or "simple/simple." This setting is called canonicalization, and it has a direct impact on whether your DKIM authentication passes or fails. Choosing the wrong option can cause legitimate emails to fail verification for reasons that are completely invisible to you.
What is DKIM Canonicalization?
Canonicalization, as defined in RFC 6376, Section 3.4, is the process of normalizing email content before it gets hashed and verified. Think of it as establishing ground rules for how strictly the email must match the original.
When your mail server sends a message, it creates a DKIM signature by hashing the content with your private key. When the receiving server gets that message, it hashes the content again and compares. If the hashes match, DKIM passes.
But email doesn't always arrive exactly as sent. Mail servers, gateways, and relay systems can make small changes, adding a space here, changing capitalization there. Without canonicalization, any tiny change would break the signature.
Canonicalization tells both sides: "Before you hash this content, normalize it this specific way." If both sides normalize identically, minor transit changes don't matter.
Canonicalization doesn't change the email itself. It only affects how content is prepared for the cryptographic hash that DKIM uses for verification.
Understanding the DKIM c= Tag
The c= tag in a DKIM signature specifies the canonicalization method with two values separated by a slash:
c=header_method/body_method
The first value applies to email headers (From, Subject, Date). The second applies to the message body. Each can be "simple" or "relaxed," giving four combinations:
c=simple/simplec=simple/relaxedc=relaxed/simplec=relaxed/relaxed
If the c= tag is missing, DKIM defaults to c=simple/simple, the strictest option.
Simple Canonicalization
Simple canonicalization applies minimal normalization. The message must arrive almost exactly as sent.
For headers: No changes are made. Header names must match exactly, including capitalization. Whitespace is preserved. The only tolerance is trailing whitespace at line ends.
For body: The body is used as-is. Only empty lines at the very end are ignored. All whitespace within the body must match exactly.
Relaxed Canonicalization
Relaxed canonicalization applies broader normalization to tolerate common transit modifications.
For headers: Names are converted to lowercase. Whitespace within values is compressed to single spaces. Trailing whitespace is removed.
For body: Trailing whitespace on each line is removed. Multiple spaces and tabs are compressed to single spaces. Empty lines at the end are ignored.
Simple vs Relaxed: Side by Side
| Behavior | Simple | Relaxed |
|---|---|---|
| Header name case | Must match exactly | Converted to lowercase |
| Whitespace in headers | Preserved exactly | Compressed to single space |
| Whitespace in body | Preserved exactly | Compressed to single space |
| Trailing whitespace | Preserved (headers) / preserved (body) | Removed |
| Trailing empty lines | Ignored | Ignored |
| Tolerance for transit changes | Very low | High |
| Risk of false failures | High | Low |
Real-World Changes That Break Simple but Survive Relaxed
Email passes through multiple systems between sender and recipient. Here are common modifications that break simple canonicalization but are absorbed by relaxed:
Whitespace reformatting. Mail transfer agents frequently adjust whitespace, adding trailing spaces to headers, compressing spaces in the body, or converting tabs. Simple treats any change as a mismatch; relaxed normalizes it away.
Header case changes. Some servers lowercase header names during processing. Content-Type becomes content-type. Simple treats these as different; relaxed treats them as identical.
Line wrapping adjustments. Email standards allow long headers to be "folded" at whitespace. Different servers fold at different points. Relaxed canonicalization handles this gracefully.
Body whitespace cleanup. Security gateways and corporate mail systems sometimes clean up message bodies, removing trailing spaces or normalizing line endings. These invisible changes are fatal to simple canonicalization.
Simple canonicalization causes real deliverability problems
Your DKIM can fail even when nothing meaningful about your email has changed. The modifications that break simple canonicalization are invisible; you can't see trailing whitespace in a normal email client.
Why You Should Always Use Relaxed/Relaxed
The recommendation is clear: use c=relaxed/relaxed. Here's why:
It tolerates real-world email transit. Emails pass through servers, gateways, and filters that make minor formatting changes. Relaxed absorbs these without breaking your signature.
Simple provides no security benefit. The strictness of simple doesn't make email more secure. An attacker who can modify content would need to forge the signature regardless of canonicalization.
Major services default to relaxed. Google Workspace, Microsoft 365, and most platforms use relaxed/relaxed. They've learned that simple causes unnecessary failures.
Forwarding survival improves dramatically. When email is forwarded through mailing lists or auto-forwarding rules, minor modifications are common. Relaxed gives DKIM the best chance of surviving.
How to Check Your Canonicalization Setting
The canonicalization setting isn't in the DNS (Domain Name System) record. It's set by your mail server when signing. To see yours, send an email and examine the DKIM-Signature header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1; ...
If the c= tag is missing, your server defaults to c=simple/simple.
How to Change Your Canonicalization Setting
Identify your signing system
Determine what signs your outgoing email: your email provider, your sending service, or your own mail server.
Check the current setting
Send a test email and look at the DKIM-Signature header for the c= tag.
Update the configuration
For cloud providers, canonicalization is usually relaxed/relaxed automatically. For self-hosted servers like Postfix with OpenDKIM, update your signing configuration to c=relaxed/relaxed.
Generate new keys if needed
If setting up DKIM from scratch, use dkimcreator.com to generate your key pair and configure relaxed/relaxed from the start.
Test after changing
Send test emails and verify the DKIM-Signature header shows c=relaxed/relaxed. Confirm DKIM passes in authentication results.
The Takeaway
Canonicalization is a small configuration detail with outsized impact on DKIM reliability. Simple is too strict for real-world email delivery. Relaxed handles the minor, invisible modifications that happen as email moves across the internet. Set your signing server to c=relaxed/relaxed and your DKIM signatures will verify consistently, even through gateways, filters, and forwarding systems.
Related Articles
Monitor Your DKIM Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DKIM issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring