--- title: "Decoding Canonicalization: The Reason Behind DKIM Signature Verification Failures | DuoCircle" description: "Decoding Canonicalization: The Reason Behind DKIM Signature Verification Failures." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/email-security/canonicalization-reason-behind-dkim-signature-verification-failures/" --- Quick Answer DKIM canonicalization is the rule that tells receivers how to normalize an email's headers and body before computing the signature hash. The reason it exists: mail in transit gets minor reformatting (whitespace changes, line breaks, case differences) that would otherwise break the signature on every legitimate forward. DKIM offers two algorithms each for headers and body. Simple canonicalization accepts the message exactly as signed; any modification fails verification. Relaxed canonicalization tolerates whitespace collapsing, lowercased header names, and trailing-space removal. Simple is strict and unforgiving in real-world transit; relaxed is permissive enough to survive normal forwarding. The working pattern is relaxed/simple (relaxed for headers, simple for body) or relaxed/relaxed for the most tolerance. To implement: review the current DKIM configuration on your signing MTA, choose canonicalization (c= tag, e.g., c=relaxed/simple), regenerate or update the DKIM record if needed, and test with a tool that shows pass/fail per canonicalization mode. Re-test periodically since gateways and relays evolve. Decoding Canonicalization: The Reason Behind DKIM Signature Verification Failures Your browser does not support the audio element. [ Download episode](https://media.mailhop.org/duocircle/images/2024/05/Decoding-Canonicalization-The-Reason-Behind-DKIM-Signature-Verification-Failures.mp3) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fcanonicalization-reason-behind-dkim-signature-verification-failures%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Decoding%20Canonicalization%3A%20The%20Reason%20Behind%20DKIM%20Signature%20Verification%20Failures&url=undefined%2Fblog%2Femail-security%2Fcanonicalization-reason-behind-dkim-signature-verification-failures%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fcanonicalization-reason-behind-dkim-signature-verification-failures%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fcanonicalization-reason-behind-dkim-signature-verification-failures%2F&title=Decoding%20Canonicalization%3A%20The%20Reason%20Behind%20DKIM%20Signature%20Verification%20Failures "Share on Reddit") [ ](mailto:?subject=Decoding%20Canonicalization%3A%20The%20Reason%20Behind%20DKIM%20Signature%20Verification%20Failures&body=Check out this article: undefined%2Fblog%2Femail-security%2Fcanonicalization-reason-behind-dkim-signature-verification-failures%2F "Share via Email") ![email authentication protocols](https://media.mailhop.org/duocircle/images/2024/05/dkim-record-check.jpg) When you send an email to someone, it embarks on a complex journey before it reaches the recipient’s inbox. While this might seem like a seamless, instantaneous process, it is prone to being tampered with along the way. This is why it is recommended that you **implement DomainKeys Identified Mail** (DKIM) for your [email communications](https://newclimate.org/news/microsoft-error-or-external-attack-causing-disruption-to-email-communication-across-the). If you enable DKIM for your outgoing emails, the receiving server checks them for any tampering that might have happened in transit by matching the [DKIM signature](https://datatracker.ietf.org/doc/html/rfc6376) generated using your [private key](https://www.techtarget.com/searchsecurity/definition/private-key) with the public key published in your domain’s [DNS record](/data-privacy/dns-record-types-defined-and-explained/). _If the private and public **keys match**, the email is considered **good to go**; if not, it might be raised as a red flag._ But the thing is, sometimes even legitimate emails fail DKIM authentication due to **canonicalization issues**, which ultimately jeopardize your domain’s [email authentication](/resources/email-authentication). In this article, let us dig deep into the issue of **DKIM canonicalization** and learn how we can resolve it. ## What is DKIM Canonicalization? To understand DKIM Canonicalization, we take into consideration the possibility that **mail systems can sometimes alter the content** of an email in transit. While these changes are not major (minute alterations like whitespace, line breaks, and case differences), they can hamper the [integrity of the email](https://jatheon.com/blog/email-archiving-message-integrity-verification/) and lead to DKIM failure. [![DKIM keys](https://media.mailhop.org/duocircle/images/2024/05/cross-tenant-migration-office-365-2.jpg)](https://media.mailhop.org/duocircle/images/2024/05/cross-tenant-migration-office-365-2.jpg) However, with DKIM canonicalization, you can **standardize the format** of [email headers](https://proton.me/blog/what-are-email-headers) and body before signing them with a digital signature. What we mean to say is that before an email reaches the recipient, its contents are transformed into a [canonical form](https://en.wikipedia.org/wiki/Canonical%5Fform), a standardized version that is immune to alterations during transit. This ensures that the email reaches the recipient’s inbox exactly as the sender intended to send it in the first place. Let us explain this through an example- Consider the following email addresses: 1. Johndoe@**xyz.com** 2. Johndoe@**XYZ.com** Given the formatting and case variation, it is very apparent that the two **email addresses are different** from each other. This discrepancy wouldn’t really matter when it comes to delivering email to the intended mailbox; they would deliver to the same mailbox. But when DKIM enters the picture, even the slightest alteration like this **can** **pose a challenge**. This surely does impact your organization’s email authentication and [deliverability efforts](https://blogs.oracle.com/marketingcloud/post/email-marketing-trends-unproven-opportunities). Luckily, there are ways to remedy this situation and ascertain that DKIM signatures **pass verification** without canonicalization blocking the way. ## How Can You Address this Challenge? There are **two canonicalization algorithms** that you can leverage to address this challenge: ### Relaxed Canonicalization As you can tell by the name, this is slightly flexible as it gives you some wiggle room for minor alterations in the email content while still ensuring that the DKIM signature verification passes successfully. It removes any discrepancies found between the original email content and the [transformed canonical form](https://artsy.github.io/blog/2013/06/23/normalizing-gmail-email-addresses-with-canonical-emails/) by: - Removing any [white spaces in the body](https://www.computerhope.com/jargon/w/whitspac.htm) - Converting all header names to lowercase - **Ignoring spaces** at the end of header fields ### Simple Canonicalization Simple Canonicalization is a little too simple to take into consideration the minor alterations that happen in an email during its journey from the sender’s outbox to the recipient’s mailbox. This means that this canonicalization algorithm **follows the rule book** to verify that the emails match exactly to the original content signed. _It leaves no scope for even the smallest and seemingly most frivolous alterations like modified space or a [new line break](https://www.pcmag.com/encyclopedia/term/line-break)_. If any discrepancies are found, the **DKIM check will fail**. The **stringent nature** of simple canonicalization makes it complex and unfavorable. As you already know, certain changes and reformatting are inevitable when an email passes through various [email gateways](/content/email-gateway-service/how-email-gateway-works); adopting this unforgiving algorithm becomes difficult in such real-world email environments. _A no-fuss solution to this is to **adopt the relaxed algorithm** for the header while keeping the body canonicalization simple._ [![DKIM](https://media.mailhop.org/duocircle/images/2024/05/Latest-DKIM-Validation-Statistics.jpg)](https://media.mailhop.org/duocircle/images/2024/05/Latest-DKIM-Validation-Statistics.jpg) ## How to Implement DKIM Canonicalization? Before we get into the process, remember that maintaining the integrity and [trustworthiness of your email communications](https://martech.org/email-trustworthiness-heres-how-to-avoid-looking-like-spam/) is **not a one-and-done process** but a continual one that requires regular reviews and updates as technology and standards evolve. Here’s a **step-by-step approach** that you can follow to implement canonicalization effectively: ### Look into your Current Configurations The first step of implementing canonicalization is [auditing your current email setup](https://www.shiftparadigm.com/insights/3-step-email-audit-checklist/). This includes identifying which canonicalization method (**simple or relaxed**) is currently being used for both the [headers](/email-services/learning-to-trace-back-emails-to-their-source-ip-addresses/) and the body of your emails. ### Modify Canonicalization Settings Once you have reviewed your current configurations, the second step is to make adjustments to them. _In this step, change the header canonicalization from **simple to relaxed** to make room for minor modifications without causing [DKIM](/resources/what-is-dkim) checks to fail_. Here, you can also decide if you want to adjust the body canonicalization. [![outbound emails](https://media.mailhop.org/duocircle/images/2024/05/email-sending-services-8907.jpg)](https://media.mailhop.org/duocircle/images/2024/05/email-sending-services-8907.jpg) ### Test the Configurations Before rolling out the updates for all your [outbound emails](/content/outbound-email), ensure that you run new canonicalization settings on a small batch of emails. _Also, make sure to include various content types and formats to better **understand the impact of the changes**._ ### Monitor and Validate After you implement the new configuration across all your emails, monitor the [delivery rates](https://agencyanalytics.com/kpi-definitions/email-delivery-rate) and check for any [DKIM failure reports](/resources/what-is-ruf). This will help you **verify that the changes** you recently made align with your [email deliverability](/a-guide-on-email-deliverability) and integrity goals. Now that you know that implementing DKIM and properly setting up canonicalization can go a long way in protecting against [email spoofing](https://indiatechnologynews.in/90-of-company-attacks-start-with-a-phishing-email-check-point/) and tampering while reiterating its trustworthiness, it’s time to take **proactive action**! Still feeling overwhelmed by all the steps involved in DKIM canonicalization? While it is not as complex as it sounds, it is important to **be careful** when implementing these steps. You can trust our team of experts at DuoCircle to enhance the integrity and trustworthiness of your email communications, ensuring they are **protected against tampering** and [spoofing attacks](https://pc-tablet.co.in/urgent-alert-for-apple-users-a-surge-in-phishing-attacks-demands-password-resets/18556/). Ready to make email authentication a breeze? [Get in touch with us](/contact) to discover all about our services and how they can bolster your [email security](/), ensuring **efficient management** of your email systems. ## Topics email securitySecurityTrendsUpdates ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ Email Security 6m 5 Reasons Why Your Website Needs an SPF Record Flattener? Sep 26, 2023 ](/blog/email-security/5-reasons-why-your-website-needs-an-spf-record-flattener/)[ Email Security 7m Using Email Security Tools Such as Secure Email Gateways and End-To-End Encryption to Protect Email Content and Attachments Mar 9, 2023 ](/blog/email-security/ensure-confidentiality-of-your-emails-with-secure-email-gateways-and-end-to-end-encryption/)[ Email Security 7m 10 Crucial Tips that Will Help You Avoid Spam Filters and Send Better Emails Feb 14, 2023 ](/blog/email-security/10-crucial-tips-that-will-help-you-avoid-spam-filters-and-send-better-emails/)[ Email Security 3m Best Ways to Secure Emails in 2024 Apr 26, 2024 ](/blog/email-security/best-ways-to-secure-emails-in-2024/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Decoding Canonicalization: The Reason Behind DKIM Signature Verification Failures","description":"Decoding Canonicalization: The Reason Behind DKIM Signature Verification Failures.","url":"https://www.duocircle.com/blog/email-security/canonicalization-reason-behind-dkim-signature-verification-failures/","datePublished":"2024-05-02T14:05:34.000Z","dateModified":"2025-07-15T18:35:45.000Z","dateCreated":"2024-05-02T14:05:34.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/canonicalization-reason-behind-dkim-signature-verification-failures/"},"articleSection":"email-security","keywords":"email security, Security, Trends, Updates","wordCount":1005,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/05/dkim-record-check.jpg","caption":"email authentication protocols","width":900,"height":580},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"Decoding Canonicalization: The Reason Behind DKIM Signature Verification Failures","item":"https://www.duocircle.com/blog/email-security/canonicalization-reason-behind-dkim-signature-verification-failures/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Decoding Canonicalization: The Reason Behind DKIM Signature Verification Failures","item":"https://www.duocircle.com/blog/email-security/canonicalization-reason-behind-dkim-signature-verification-failures/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Decoding Canonicalization: The Reason Behind DKIM Signature Verification Failures","description":"Decoding Canonicalization: The Reason Behind DKIM Signature Verification Failures.","url":"https://www.duocircle.com/blog/email-security/canonicalization-reason-behind-dkim-signature-verification-failures/","datePublished":"2024-05-02T14:05:34.000Z","dateModified":"2025-07-15T18:35:45.000Z","dateCreated":"2024-05-02T14:05:34.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/canonicalization-reason-behind-dkim-signature-verification-failures/"},"articleSection":"email-security","keywords":"email security, Security, Trends, Updates","wordCount":1005,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/05/dkim-record-check.jpg","caption":"email authentication protocols","width":900,"height":580},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```