--- title: "The role of canonicalization in preventing email breakage in DKIM | DuoCircle" description: "The role of canonicalization in preventing email breakage in DKIM." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/dmarc/the-role-of-canonicalization-in-preventing-email-breakage-in-dkim/" --- Quick Answer DKIM canonicalization standardizes email content (headers and body) before signing so that minor in-transit changes (extra whitespace, line break differences, header case) do not break the signature. RFC 6376 defines two methods per part (header and body): simple, which requires byte-exact match and breaks on any modification, and relaxed, which tolerates whitespace and case changes. Most operators use relaxed/relaxed because mail systems routinely rewrite line endings and fold long headers, and simple canonicalization causes false DKIM failures that hurt deliverability. The notation appears in the c= tag of the DKIM-Signature header. Implementation: audit your current MTA or signing service settings (Postfix with OpenDKIM, your ESP's signing config), shift from simple to relaxed where it is not already the default, test with a small sample of outbound mail, and watch DMARC aggregate reports for DKIM pass rates afterward. The role of canonicalization in preventing email breakage in DKIM Your browser does not support the audio element. [ Download episode](https://media.mailhop.org/duocircle/images/2025/02/The-role-of-canonicalization-in-preventing-email-breakage-in-DKIM.mp3) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fthe-role-of-canonicalization-in-preventing-email-breakage-in-dkim%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=The%20role%20of%20canonicalization%20in%20preventing%20email%20breakage%20in%20DKIM&url=undefined%2Fblog%2Fdmarc%2Fthe-role-of-canonicalization-in-preventing-email-breakage-in-dkim%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fthe-role-of-canonicalization-in-preventing-email-breakage-in-dkim%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fthe-role-of-canonicalization-in-preventing-email-breakage-in-dkim%2F&title=The%20role%20of%20canonicalization%20in%20preventing%20email%20breakage%20in%20DKIM "Share on Reddit") [ ](mailto:?subject=The%20role%20of%20canonicalization%20in%20preventing%20email%20breakage%20in%20DKIM&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fthe-role-of-canonicalization-in-preventing-email-breakage-in-dkim%2F "Share via Email") ![DuoCircle blog post image](https://media.mailhop.org/duocircle/images/2025/02/spf-record-tester-7613.jpg) [DKIM](/resources/what-is-dkim) policy secures your email communications by detecting any kind of tampering or alterations during the transit. However, the journey from your outbox to a receiving inbox is an intricate one. Since **emails get delivered super quick**, we fail to notice the minor changes that take place during the process. The mail systems may lead to certain minor changes in the email content (line breaks, case differences, whitespace, and so on). Even though the changes may not appear to be too major, they can affect the integrity of the email, thereby resulting in DKIM failure. In order to avoid these instances of false negatives, you must focus on canonicalizing your emails. This blog post aims to explore the role of canonicalization in preventing [email breakage](https://www.bleepingcomputer.com/news/security/microsoft-chinese-hackers-breached-us-govt-exchange-email-accounts/) in DKIM. ## Understanding DKIM email authentication policy Before diving into the concept of canonicalization, it is important to understand how DKIM authentication works to **safeguard your email system**. DKIM (DomainKeys Identified Mail) enables a domain owner to attach a digital signature (a unique [private key](https://www.coinbase.com/learn/crypto-basics/what-is-a-private-key)) to the outgoing emails. _This signature is used by the receiving email servers to verify the authenticity of the email content_. For verification purposes, they use the DKIM [public key](https://www.investopedia.com/terms/p/public-key.asp), which gets published in the domain’s [DNS records](https://www.cloudflare.com/learning/dns/dns-records/). DKIM policy secures your communication system against instances of [phishing, spoofing](https://www.cybersecuritydive.com/news/spoofing-spear-phishing-BEC/602554/), and email tampering by threat actors. ## DKIM Canonicalization- Definition DKIM canonicalization is a technique to standardize your email content before the domain owner signs it with a [digital signature](https://www.techtarget.com/searchsecurity/definition/digital-signature). This standardization method ensures that all the minor formatting changes that may take place during the transit do not affect the **integrity of the email content**. So, what happens is that before reaching the recipient’s inbox, the email content gets transformed into a canonical form. It enables you to set a standard [email header](https://proton.me/blog/what-are-email-headers) as well as a content format. This standardized version is immune to any kind of alteration, thereby minimizing the risk of false negatives. For example, the two email addresses, **[sales@domain.com](mailto:sales@domain.com) or [sales@DOMAIN.com](mailto:sales@DOMAIN.com)**, won’t pose any issue when you mention either on the address line. However, when the DKIM policy is deployed, this slight change may cause your emails to [fail the DKIM check](/email-security/what-happens-to-emails-failing-dkim-checks/). In that case, the email deliverability rate will go down. The sender reputation of your domain will also be impacted. [![ email deliverability rate](https://media.mailhop.org/duocircle/images/2025/02/email-migration-service-3648.jpg)](https://media.mailhop.org/duocircle/images/2025/02/email-migration-service-3648.jpg) ## How to solve this problem? There are **two canonicalization techniques** to fix this problem. Have a look! ### Simple canonicalization This works exactly like how you used to play jigsaw puzzles in your childhood. It is a stringent canonicalization method that does not consider minor alterations and wants everything to match identically. _The algorithm strictly follows the rule book and checks the email content thoroughly to determine whether there are any changes or not_. Even if there is a tiny alteration, like a line break or space, the email will fail the [DKIM check](/resources/dkim-checker). The strictness of simple canonicalization makes it a less favorable option for domain owners. The majority of them do not want their emails to bounce back because of a **minor alteration in email content**. So, they prefer relaxed canonicalization over simple canonicalization. ### Relaxed canonicalization _As you can see from the name itself, this method is comparatively more flexible than simple canonicalization_. It comes with some wiggle room that allows minor changes in email content. This element of flexibility enables email content with minor alterations to pass the DKIM verification check. Basically, this method removes any kind of discrepancies that are found between the initial email content and the transformed one. It removes the unnecessary white spaces in the altered email content, converts each and every header name to lowercase, and ignores spaces at the **end of the header fields**. ## DKIM canonicalization implementation _In order to maintain the integrity and security of your email system, it is important to see it as a long-term process that requires consistent monitoring and adjustments_. Here’s a **step-by-step guide** on how to implement DKIM canonicalization: ### Closely observe the current configurations Canonicalization implementation starts with a detailed audit of your ongoing email setup. The first step requires you to determine which canonicalization method you are currently using for the headers and the **body of your emails**. ### Tweak canonicalization settings as needed After you are done reviewing the current configurations, proceed to make the necessary alterations. The key is to shift from simple canonicalization to relaxed canonicalization to be able to enjoy some degree of leniency for minor tweaks and changes, such as spaces and line breaks. This significantly brings down cases of false positives, thereby maintaining your [email deliverability](/a-guide-on-email-deliverability) rate. ### Test the configurations Test the waters before **implementing the updates** on all [outbound emails](/content/outbound-email). Start with running new canonicalization configurations on a limited number of emails. Try including different content types and formats to understand the impact of the changes closely. [![Email Integrity](https://media.mailhop.org/duocircle/images/2025/02/SPF-record-checker-4763.jpg)](https://media.mailhop.org/duocircle/images/2025/02/SPF-record-checker-4763.jpg) ### Monitor and validate Once you have implemented the new configuration across your email system, start with evaluating the current email delivery rate as well as DKIM failure reports. Tracking the process closely will help you understand whether or not the recent changes match with your [email integrity](https://www.linkedin.com/pulse/what-does-email-integrity-look-like-toby-higson) and deliverability goals. The core purpose of a DKIM check is to keep threat actors away from your email content during transit. By tweaking your **DKIM canonicalization settings**, you can enhance your DKIM strategy. It helps you kill two birds with one stone. One, your email integrity will remain unaltered and untampered. _Two, there will be minimal cases of false positives, thereby helping your emails reach the right destination_. The concept of DKIM canonicalization may appear to be a bit complicated initially. But when you know how to implement it right, DKIM canonicalization can take your DKIM game to the next level. You can seek professional assistance, where we will simplify your entire DKIM strategy, thereby securing your email communications. Our experts ensure that you can continue with seamless business communications while we focus on keeping [threat actors](https://thehackernews.com/2024/07/tag-100-new-threat-actor-uses-open.html) and unnecessary obstacles at bay! Get in touch with us to learn how [DuoCircle](/) can help **safeguard your email systems** with the right canonicalization techniques. ## Topics DKIMemail headerSecurity ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ DMARC 6m How can DMARC reports help identify and mitigate third-party email abuse? Dec 24, 2024 ](/blog/dmarc/how-can-dmarc-reports-identify-mitigate-third-party-email-abuse/)[ DMARC 6m Avoiding common BIMI pitfalls: What goes wrong and how to fix it Jun 24, 2025 ](/blog/dmarc/avoiding-bimi-pitfalls-common-errors-and-how-to-fix-them/)[ DMARC 3m Can threat actors bypass DMARC? Feb 21, 2025 ](/blog/dmarc/can-threat-actors-bypass-dmarc/)[ DMARC 7m Cloudflare’s new SPF, DKIM, and DMARC requirements Jul 18, 2025 ](/blog/dmarc/cloudflares-new-spf-dkim-and-dmarc-requirements/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"The role of canonicalization in preventing email breakage in DKIM","description":"The role of canonicalization in preventing email breakage in DKIM.","url":"https://www.duocircle.com/blog/dmarc/the-role-of-canonicalization-in-preventing-email-breakage-in-dkim/","datePublished":"2025-02-28T16:40:18.000Z","dateModified":"2025-04-09T12:48:51.000Z","dateCreated":"2025-02-28T16:40:18.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/the-role-of-canonicalization-in-preventing-email-breakage-in-dkim/"},"articleSection":"dmarc","keywords":"DKIM, email header, Security","wordCount":1026,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/02/spf-record-tester-7613.jpg","caption":"DuoCircle blog post image","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"The role of canonicalization in preventing email breakage in DKIM","item":"https://www.duocircle.com/blog/dmarc/the-role-of-canonicalization-in-preventing-email-breakage-in-dkim/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"The role of canonicalization in preventing email breakage in DKIM","item":"https://www.duocircle.com/blog/dmarc/the-role-of-canonicalization-in-preventing-email-breakage-in-dkim/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"The role of canonicalization in preventing email breakage in DKIM","description":"The role of canonicalization in preventing email breakage in DKIM.","url":"https://www.duocircle.com/blog/dmarc/the-role-of-canonicalization-in-preventing-email-breakage-in-dkim/","datePublished":"2025-02-28T16:40:18.000Z","dateModified":"2025-04-09T12:48:51.000Z","dateCreated":"2025-02-28T16:40:18.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/the-role-of-canonicalization-in-preventing-email-breakage-in-dkim/"},"articleSection":"dmarc","keywords":"DKIM, email header, Security","wordCount":1026,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/02/spf-record-tester-7613.jpg","caption":"DuoCircle blog post image","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```