---
title: "How does Canonicalization prevent emails from failing DKIM checks? | DMARC Report"
description: "How does Canonicalization prevent emails from failing DKIM checks? from DMARC Report explains practical steps for email authentication, domain protection."
image: "https://dmarcreport.com/og/blog/why-does-dkim-signature-fail-because-of-canonicalization.png"
canonical: "https://dmarcreport.com/blog/why-does-dkim-signature-fail-because-of-canonicalization/"
---

Quick Answer

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report Why DKIM Signature Fail Because of Canonicalization?

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fwhy-does-dkim-signature-fail-because-of-canonicalization%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20does%20Canonicalization%20prevent%20emails%20from%20failing%20DKIM%20checks%3F&url=undefined%2Fblog%2Fwhy-does-dkim-signature-fail-because-of-canonicalization%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fwhy-does-dkim-signature-fail-because-of-canonicalization%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fwhy-does-dkim-signature-fail-because-of-canonicalization%2F&title=How%20does%20Canonicalization%20prevent%20emails%20from%20failing%20DKIM%20checks%3F "Share on Reddit") [ ](mailto:?subject=How%20does%20Canonicalization%20prevent%20emails%20from%20failing%20DKIM%20checks%3F&body=Check out this article: undefined%2Fblog%2Fwhy-does-dkim-signature-fail-because-of-canonicalization%2F "Share via Email") 

![How does Canonicalization prevent emails from failing DKIM checks?](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) 

## Try Our Free DKIM Lookup

Auto-discover DKIM selectors for any domain - scan 185 common selectors across all major providers.

[ Discover DKIM Selectors → ](/tools/dkim-lookup/) 

![Gmail dmarc 7858 150x150](https://media.mailhop.org/dmarcreport/images/2024/05/gmail-dmarc-7858-150x150.jpg) 

> The support tickets we get after a spoofing incident all start the same way: ‘we didn’t know someone was sending email from our domain,’ says Vasile Diaconu, Operations Lead at DuoCircle. DMARC reporting would have caught it weeks earlier. The cost of monitoring is nothing compared to the cost of a successful impersonation attack.

DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report

Why DKIM Signature Fail Because of Canonicalization?

```
					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						
```

Play Episode

```
					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						
```

Pause Episode

```
					</button>
				

					<audio preload="none" class="clip clip-12893">
						<source src="https://media.mailhop.org/dmarcreport/images/2024/05/Why-DKIM-Signature-Fail-Because-of-Canonicalization.mp3">
					</audio>
						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								
```

Mute/Unmute Episode

```
							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								
```

Rewind 10 Seconds

```
							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								
```

Fast Forward 30 seconds

```
							</button>
						

							<time class="ssp-timer">00:00</time>
							
```

/

```
							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H1M56S">1:56</time>
			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-12893" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-12893" title="Share">Share</button>
										</nav>

						
```

RSS Feed

```
							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-12893" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-12893" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

						Share						
					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/why-does-dkim-signature-fail-because-of-canonicalization/&t=Why DKIM Signature Fail Because of Canonicalization?" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/why-does-dkim-signature-fail-because-of-canonicalization/&url=Why DKIM Signature Fail Because of Canonicalization?" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2024/05/Why-DKIM-Signature-Fail-Because-of-Canonicalization.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

						Link						
					

						<input value="https://dmarcreport.com/blog/podcast/why-does-dkim-signature-fail-because-of-canonicalization/" class="input-link input-link-12893" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-12893" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
					

						Embed						

					
```

/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-12893” readonly/>

```
					<button class="copy-embed copy-embed-12893" title="Copy Embed Code" aria-label="Copy Embed Code"></button>


```

There is a \*\*multi-step journey between your outbox and the recipient’s inbox. _Since the process is very quick, we don’t realize that when an email is in transit, it’s prone to tampering and modifications by malicious actors_. You can deploy [DKIM](https://dmarcreport.com/what-is-dkim/) (DomainKeys Identified Mail) to ensure nobody tampers with your emails in transit and prevent instances of phishing, spoofing, impersonation, etc.

DKIM works by digitally signing outgoing emails with a unique [private key](https://www.techtarget.com/searchsecurity/definition/private-key) linked with the sending domain. _The public key corresponding to the private key is published in the domain’s DNS_. When a recipient [mail server](https://monovm.com/blog/what-is-mail-server/) receives an email, it retrieves the sender’s public key and uses it to verify the signature attached to the message. If the **signature is valid**, the message is considered authentic. DKIM helps prevent [email spoofing](https://timesofindia.indiatimes.com/city/pune/it-consultant-loses-10l-to-email-spoofing-fraud/articleshow/107002898.cms) and tampering, enhancing email security by allowing recipients to verify the origin and integrity of incoming messa

But sometimes false negatives are raised because of inadvertent changes. But **thankfully, with canonicalization**, this issue can be resolved.

## What is DKIM Canonicalization?

Sometimes, **minor alterations**, like white space, line breaks, and case differences, occur with emails when they are in transit. These changes are not major, but they still interfere with the normal workings of DKIM and lead to failures or errors .

But with DKIM canonicalization, you can set a standard [email header](https://proton.me/blog/what-are-email-headers) and body content format before signing them with a [digital signature](https://en.wikipedia.org/wiki/Digital%5Fsignature). So, basically, the content gets formed in a canonical way before reaching the recipient’s inbox. _This prevents [bad actors from fiddling with the email](https://www.cpomagazine.com/cyber-security/barracuda-esg-zero-day-attacks-by-chinese-hackers-compromised-numerous-u-s-government-email-severs/) content in transit and ensuring it reaches the recipient in the \*\*same format as it was created with_.

Without DKIM, it doesn’t matter if you mention [clark@domain.com](mailto:clark@domain.com) or [clark@DOMAIN.com](mailto:clark@DOMAIN.com) in the ‘send to’ address line, but when DKIM comes into the picture, even the \*\*slightest alteration stands as a challenge. This affects the [email deliverability](https://dmarcreport.com/blog/why-is-email-deliverability-important-for-online-businesses/) rate and [sender reputation](https://www.campaignmonitor.com/resources/knowledge-base/what-is-email-sender-reputation/) of your domain, and the byproduct of which is failing to communicate through emails.

![Dmarc analyzer](https://media.mailhop.org/dmarcreport/images/2024/05/dmarc-analyzer-8.jpg) 

## How to Fix the Issue?

There are two techniques to fix the issue-relaxed **canonicalization and simple canonicalization**.

## 1\. Relaxed Canonicalization

_This is a more flexible method of fixing the issue as you get some wiggle room for slight modifications in the email content while still letting DKIM ensure that the confirmation happens efficiently_. In relaxed canonicalization, discrepancies detected between the original and modified content are removed by eliminating unnecessary [white spaces](https://uplandsoftware.com/adestra/resources/blog/more-is-less-whitespace/), converting all header names to lowercase, and overlooking extra spaces at the end of the header fields.

## 2\. Simple Canonicalization

In simple canonicalization, **minor alterations are not considered**, which means the algorithm religiously follows the rule book to check if the content was altered in transit or not. So, there is no scope for even tiny changes to pass through, even new line breaks. The [DKIM authentication](https://dmarcreport.com/blog/secure-your-email-communication-by-achieving-the-highest-authentication-standards-with-dkim-signatures/) will show a ‘fail’ status if any **modifications are detected**.

The strict nature of this algorithm makes it complicated, and hence, not many domain owners adopt it. This is because some changes are inevitable, and you can’t really afford to have important \*\*emails get marked as spam or [bounce back](https://snov.io/blog/email-bounce-back/). This can affect your rapport and operations at multiple levels.

So, it’s \*\*better to adopt the relaxed canonicalization method to fix the issue.

## How Do You Implement DKIM Canonicalization?

Maintaining [email security](https://dmarcreport.com/what-is-dmarc/) and integrity is a continuous process that involves monitoring and adjustments. Here’s a \*\*step-by-step guide on implementing DKIM for your domain-

## 1\. Check the Current Configurations

_To begin with the process of implementing canonicalization you must audit the settings of the current email setup_. Understand which **canonicalization method (simple or relaxed)** you are currently using for both the headers and bodies of emails .

## 2\. Adjust Canonicalization Settings

After auditing the settings of the current email setup, make necessary adjustments to them. If you are using the simple canonicalization method, then switch to the \*\*relaxed algorithm so that there is some leniency for minor alterations like white space or changes in font. This will minimize the instances of [false positives](https://www.nospamproxy.de/en/what-is-a-false-positive-and-what-is-a-false-negative/) for genuine emails sent from your domain.

## 3\. Test the Configurations

Before updating the modifications for all the emails sent from your domain, \*\*monitor the delivery rate and [DKIM failure](https://dmarcreport.com/blog/10-reasons-why-dkim-fails/) reports to evaluate whether you still need to make any changes. _Remember to include multiple content types and formats to determine the effect of the changes_.

![Create dmarc record](https://media.mailhop.org/dmarcreport/images/2024/05/create-dmarc-record-6848.jpg) 

## 4\. Monitor and Validate

Once you’ve updated your email settings, keep an eye on how well your emails are getting through, and watch out for any DKIM issues. This helps you make sure your changes are helping your emails reach their destination and **staying safe from tampering**.

Now that you see how DKIM can stop people from [faking your emails](https://www.infosecurity-magazine.com/news/wormgpt-fake-emails-bec-attacks/) and messing with them, it’s time to take action! If you’re finding all this DKIM stuff a bit confusing, don’t worry - it’s not as tricky as it seems, but it’s **important to get it right**. You can count on our experts at [DMARCReport](https://dmarcreport.com/) to make sure your emails are secure and trustworthy , so they can’t be tampered with or faked. Ready to make sure your emails are safe and sound? [Reach out to us](https://dmarcreport.com/contact/) to find out how we can help you manage and protect your email systems with ease.

## Topics

[ dkim ](/tags/dkim/)[ email security ](/tags/email-security/) 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Intermediate 8m  Decoding I-Tag DKIM Vulnerability and Its Impact on Email Deliverability and Security  Jun 6, 2024 ](/blog/decoding-i-tag-dkim-vulnerability-and-its-impact-on-email-security/)[  Intermediate 4m  Getting Rid of Common SPF Errors for Email Security and Delivery  Dec 20, 2023 ](/blog/getting-rid-of-common-spf-errors-for-email-security-and-delivery/)[  Intermediate 5m  Improving Email Security With DKIM  Dec 8, 2023 ](/blog/improving-email-security-with-dkim/)[  Intermediate 3m  The Emergence of DKIM: A Cryptography-Based Email Authentication Protocol  Nov 29, 2023 ](/blog/the-emergence-of-dkim-a-cryptography-based-email-authentication-protocol/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"How does Canonicalization prevent emails from failing DKIM checks?","description":"How does Canonicalization prevent emails from failing DKIM checks? from DMARC Report explains practical steps for email authentication, domain protection.","url":"https://dmarcreport.com/blog/why-does-dkim-signature-fail-because-of-canonicalization/","datePublished":"2024-05-13T09:22:34.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2024-05-13T09:22:34.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/why-does-dkim-signature-fail-because-of-canonicalization/"},"articleSection":"intermediate","keywords":"dkim, email security","wordCount":1194,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"How does Canonicalization prevent emails from failing DKIM checks?","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://dmarcreport.com/intermediate/"},{"@type":"ListItem","position":4,"name":"How does Canonicalization prevent emails from failing DKIM checks?","item":"https://dmarcreport.com/blog/why-does-dkim-signature-fail-because-of-canonicalization/"}]}
```