What is DKIM canonicalization?

Canonicalization is a process by which the headers and body of an email are converted to a canonical standard form before being signed. This can be thought of as converting data that can be represented in a number of ways into a standard canonical form. Some mail systems modify emails in transit that can potentially invalidate DKIM. Some mail signers may require that minor mail modification is fine, and others may be more strict and require stricter canonicalization be used.

Two canonicalization algorithms have been created to satisfy mild modification to a message and almost no modification to a message before signing. The two canonicalization algorithms are relaxed and simple respectively. From DKIM’s perspective the headers and body of an email are separate and canonicalization algorithms are specified for both. They are represented in the format of: canonicalization / canonicalization for header and body respectively. If no canonicalization is specified then ‘simple’ is used for both headers and body, so it would look like this: simple/simple.

The simple/simple canonicalization is the stricter of the two and allows for almost no modification to the message header and body before signing. This can however affect the DKIM signature being invalidated by some forwarders as the email passes through. Many of the issues with DKIM being invalidated during forwarding can be solved if the canonicalization is changed to relaxed/relaxed to allow for mild modifications to the emails. DKIM is a method to protect against email spoofing using public-key cryptography.