Canonicalization
Learn what canonicalization means in DKIM, how the c= tag works, and how DMARCeye helps detect DKIM failures caused by formatting differences.
What Is Canonicalization?
Canonicalization in email authentication refers to the process of standardizing the format of an email’s headers and body before applying or verifying a DKIM (DomainKeys Identified Mail) signature.
In simpler terms, canonicalization defines how strictly the message’s formatting must match between when it’s sent and when it’s received. Because minor formatting changes can happen naturally as an email travels across servers, canonicalization provides flexibility to ensure that valid messages aren’t rejected unnecessarily.
How Canonicalization Works in DKIM
In DKIM, canonicalization is controlled by the c= tag in the DKIM signature. This tag specifies how the message’s headers and body should be treated during the signing and verification process.
There are two main modes of canonicalization:
- Simple – Requires the message to remain exactly the same between sending and receiving. Even small changes, like added spaces or line breaks, can cause verification to fail.
- Relaxed – Ignores minor formatting differences, such as whitespace variations or header case changes, allowing the signature to remain valid even after small modifications.
You can combine these methods for headers and body independently, resulting in pairs like c=relaxed/relaxed or c=simple/relaxed.
Why Canonicalization Is Important for Email Deliverability
Canonicalization ensures that legitimate emails don’t fail DKIM verification because of trivial formatting differences introduced by intermediate mail servers.
Choosing the right canonicalization method helps maintain a balance between security and deliverability. A stricter setting (simple) offers tighter control but increases the risk of false failures, while a relaxed setting provides more tolerance for harmless changes during transmission.
In most modern setups, c=relaxed/relaxed is recommended for reliability.
Because DMARC relies on DKIM authentication, canonicalization directly affects whether your messages pass or fail DMARC checks.
Canonicalization and DMARCeye
DMARCeye helps you monitor how your domain’s DKIM signatures perform in real-world conditions. By analyzing authentication reports, it can reveal when canonicalization or formatting differences are causing unexpected DKIM failures.
With this visibility, teams can fine-tune their email configurations to maintain both strong authentication and smooth deliverability.
Sign up for a free trial of DMARCeye today and protect your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.