Why does canonicalization matter (simple vs relaxed)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You'd think an email that leaves your server arrives exactly as sent. Often it doesn't. Mail relays add trailing spaces. Line endings get converted between Windows and Unix formats. Headers get slightly reformatted. Canonicalization is the step DKIM takes before signing: normalizing the message into a standardized format so the hash is consistent even if small formatting changes happen in transit.

And there are two modes, and the one you choose determines how much formatting variation your signature can survive.

Simple canonicalization

Simple signs the message almost as-is. It allows only minimal normalization. Any real change in the body or headers. An extra trailing space, a different line ending, a reformatted header field. Any of these break the signature.

Simple works when you control the entire path from your server to the recipient and nothing touches the message along the way. In practice, that's not most sending scenarios.

Relaxed canonicalization

Relaxed normalizes whitespace, lowercases header names, and collapses runs of spaces before hashing. Minor reformatting by intermediate mail servers doesn't break the signature because those changes were normalized out before signing.

And This is why nearly every ESP defaults to relaxed, and why you should leave it there unless you have a specific reason not to.

Where it actually breaks: forwarding

But the most common place canonicalization failures show up is email forwarding. Forwarding servers often add headers, reorder fields, or convert line endings. With simple mode, those changes break the signature. With relaxed, minor header changes usually survive.

Neither mode survives a forwarding server that rewrites the body, like a mailing list manager that appends unsubscribe footers. The body hash was computed before the footer was added, so the hashes won't match. This is a known DKIM limitation, not a configuration error on your part.

If you're seeing dkim=fail specifically on forwarded or mailing-list-distributed messages and passing everywhere else, canonicalization mode is the first thing to check. Our DKIM checker can confirm your current mode. The SOS hotline is free if you want help tracing it further.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Debug My Canonicalization Failures

I just read the Email Almanac entry on DKIM canonicalization. Help me figure out what canonicalization mode my setup is using and whether it's causing my DKIM failures. Walk me through: 1. Which canonicalization mode my current DKIM signature uses (c= field in the header) 2. Whether switching from simple to relaxed would fix my specific failure pattern 3. What to do when DKIM is failing on forwarded or mailing-list-distributed mail 4. Whether a body-rewriting mail path means DKIM will always fail for those recipients --- My details (fill in what applies): - Sending domain: your domain - Where DKIM is failing vs passing: [e.g. "fails at forwarded Gmail, passes at direct Gmail"] - DKIM-Signature header from a failing message (paste if you have it): look for c= field - Do you use mailing lists, distribution lists, or forwarding: yes / no / unsure - ESP or mail platform: name - Whether you can configure canonicalization in your ESP: yes / no / unsure

Edit the yellow boxes, then send to the AI of your choice.