How does Canonicalization prevent emails from failing DKIM checks?

The support tickets we get after a spoofing incident all start the same way: ‘we didn’t know someone was sending email from our domain,’ says Vasile Diaconu, Operations Lead at DuoCircle. DMARC reporting would have caught it weeks earlier. The cost of monitoring is nothing compared to the cost of a successful impersonation attack.

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding — which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report

Why DKIM Signature Fail Because of Canonicalization?

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-12893">
						<source src="/images/wp/2024/05/Why-DKIM-Signature-Fail-Because-of-Canonicalization.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H1M56S">1:56</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-12893" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-12893" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-12893" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-12893" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/why-does-dkim-signature-fail-because-of-canonicalization/&t=Why DKIM Signature Fail Because of Canonicalization?" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/why-does-dkim-signature-fail-because-of-canonicalization/&url=Why DKIM Signature Fail Because of Canonicalization?" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="/images/wp/2024/05/Why-DKIM-Signature-Fail-Because-of-Canonicalization.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/why-does-dkim-signature-fail-because-of-canonicalization/" class="input-link input-link-12893" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-12893" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="5EzuIp3oAp"><a href="https://dmarcreport.com/blog/podcast/why-does-dkim-signature-fail-because-of-canonicalization/">Why DKIM Signature Fail Because of Canonicalization?</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/why-does-dkim-signature-fail-because-of-canonicalization/embed/#?secret=5EzuIp3oAp" width="500" height="350" title=""Why DKIM Signature Fail Because of Canonicalization?" — DMARC Report" data-secret="5EzuIp3oAp" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-12893” readonly/>

					<button class="copy-embed copy-embed-12893" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

There is a **multi-step journey between your outbox and the recipient’s inbox. Since the process is very quick, we don’t realize that when an email is in transit, it’s prone to tampering and modifications by malicious actors. You can deploy DKIM (DomainKeys Identified Mail) to ensure nobody tampers with your emails in transit and prevent instances of phishing, spoofing, impersonation, etc.

DKIM works by digitally signing outgoing emails with a unique private key linked with the sending domain. The public key corresponding to the private key is published in the domain’s DNS. When a recipient mail server receives an email, it retrieves the sender’s public key and uses it to verify the signature attached to the message. If the signature is valid, the message is considered authentic. DKIM helps prevent email spoofing and tampering, enhancing email security by allowing recipients to verify the origin and integrity of incoming messa

But sometimes false negatives are raised because of inadvertent changes. But thankfully, with canonicalization, this issue can be resolved.

What is DKIM Canonicalization?

Sometimes, minor alterations, like white space, line breaks, and case differences, occur with emails when they are in transit. These changes are not major, but they still interfere with the normal workings of DKIM and lead to failures or errors .

But with DKIM canonicalization, you can set a standard email header and body content format before signing them with a digital signature. So, basically, the content gets formed in a canonical way before reaching the recipient’s inbox. This prevents bad actors from fiddling with the email content in transit and ensuring it reaches the recipient in the **same format as it was created with.

Without DKIM, it doesn’t matter if you mention clark@domain.com or clark@DOMAIN.com in the ‘send to’ address line, but when DKIM comes into the picture, even the **slightest alteration stands as a challenge. This affects the email deliverability rate and sender reputation of your domain, and the byproduct of which is failing to communicate through emails.

How to Fix the Issue?

There are two techniques to fix the issue-relaxed canonicalization and simple canonicalization.

1. Relaxed Canonicalization

This is a more flexible method of fixing the issue as you get some wiggle room for slight modifications in the email content while still letting DKIM ensure that the confirmation happens efficiently. In relaxed canonicalization, discrepancies detected between the original and modified content are removed by eliminating unnecessary white spaces, converting all header names to lowercase, and overlooking extra spaces at the end of the header fields.

2. Simple Canonicalization

In simple canonicalization, minor alterations are not considered, which means the algorithm religiously follows the rule book to check if the content was altered in transit or not. So, there is no scope for even tiny changes to pass through, even new line breaks. The DKIM authentication will show a ‘fail’ status if any modifications are detected.

The strict nature of this algorithm makes it complicated, and hence, not many domain owners adopt it. This is because some changes are inevitable, and you can’t really afford to have important **emails get marked as spam or bounce back. This can affect your rapport and operations at multiple levels.

So, it’s **better to adopt the relaxed canonicalization method to fix the issue.

How Do You Implement DKIM Canonicalization?

Maintaining email security and integrity is a continuous process that involves monitoring and adjustments. Here’s a **step-by-step guide on implementing DKIM for your domain-

1. Check the Current Configurations

To begin with the process of implementing canonicalization you must audit the settings of the current email setup. Understand which canonicalization method (simple or relaxed) you are currently using for both the headers and bodies of emails .

2. Adjust Canonicalization Settings

After auditing the settings of the current email setup, make necessary adjustments to them. If you are using the simple canonicalization method, then switch to the **relaxed algorithm so that there is some leniency for minor alterations like white space or changes in font. This will minimize the instances of false positives for genuine emails sent from your domain.

3. Test the Configurations

Before updating the modifications for all the emails sent from your domain, **monitor the delivery rate and DKIM failure reports to evaluate whether you still need to make any changes. Remember to include multiple content types and formats to determine the effect of the changes.

4. Monitor and Validate

Once you’ve updated your email settings, keep an eye on how well your emails are getting through, and watch out for any DKIM issues. This helps you make sure your changes are helping your emails reach their destination and staying safe from tampering.

Now that you see how DKIM can stop people from faking your emails and messing with them, it’s time to take action! If you’re finding all this DKIM stuff a bit confusing, don’t worry—it’s not as tricky as it seems, but it’s important to get it right. You can count on our experts at DMARCReport to make sure your emails are secure and trustworthy , so they can’t be tampered with or faked. Ready to make sure your emails are safe and sound? Reach out to us to find out how we can help you manage and protect your email systems with ease.