Why Does DKIM Signature Fail Because of Canonicalization?

DMARCReport Audio
DMARC Report
Why DKIM Signature Fail Because of Canonicalization?

There is a multi-step journey between your outbox and the recipient’s inbox. Since the process is very quick, we don’t realize that when an email is in transit, it’s prone to tampering and modifications by malicious actors. You can deploy DKIM (DomainKeys Identified Mail) to ensure nobody tampers with your emails in transit and prevent instances of phishing, spoofing, impersonation, etc.

DKIM works by digitally signing outgoing emails with a unique private key linked with the sending domain. The public key corresponding to the private key is published in the domain’s DNS. When a recipient mail server receives an email, it retrieves the sender’s public key and uses it to verify the signature attached to the message. If the signature is valid, the message is considered authentic. DKIM helps prevent email spoofing and tampering, enhancing email security by allowing recipients to verify the origin and integrity of incoming messages.

But sometimes false negatives are raised, and this happens due to canonicalization issue that can give threat actors the opportunity to send fraudulent emails on your behalf.

email security

What is DKIM Canonicalization?

Sometimes, minor alterations, like white space, line breaks, and case differences, occur with emails when they are in transit. These changes are not major, but they still interfere with the normal workings of DKIM and lead to failures or errors.

But with DKIM canonicalization, you can set a standard email header and body content format before signing them with a digital signature. So, basically, the content gets formed in a canonical way before reaching the recipient’s inbox. This prevents bad actors from fiddling with the email content in transit and ensuring it reaches the recipient in the same format as it was created with.

Without DKIM, it doesn’t matter if you mention or in the ‘send to’ address line, but when DKIM comes into the picture, even the slightest alteration stands as a challenge. This affects the email deliverability rate and sender reputation of your domain, and the byproduct of which is failing to communicate through emails. 


Image sourced from

How to Fix the Issue?

There are two techniques to fix the issue-relaxed canonicalization and simple canonicalization.

1. Relaxed Canonicalization

This is a more flexible method of fixing the issue as you get some wiggle room for slight modifications in the email content while still letting DKIM ensure that the confirmation happens efficiently. In relaxed canonicalization, discrepancies detected between the original and modified content are removed by eliminating unnecessary white spaces, converting all header names to lowercase, and overlooking extra spaces at the end of the header fields.

2. Simple Canonicalization

In simple canonicalization, minor alterations are not considered, which means the algorithm religiously follows the rule book to check if the content was altered in transit or not. So, there is no scope for even tiny changes to pass through, even new line breaks. The DKIM authentication will show a ‘fail’ status if any modifications are detected

The strict nature of this algorithm makes it complicated, and hence, not many domain owners adopt it. This is because some changes are inevitable, and you can’t really afford to have important emails get marked as spam or bounce back. This can affect your rapport and operations at multiple levels. 

So, it’s better to adopt the relaxed canonicalization method to fix the issue. 

Implementing DKIM Canonicalization

Maintaining email security and integrity is a continuous process that involves monitoring and adjustments. Here’s a step-by-step guide on implementing DKIM for your domain-

1. Check the Current Configurations

To begin with the process of implementing canonicalization you must audit the settings of the current email setup. Understand which canonicalization method (simple or relaxed) you are currently using for both the headers and bodies of emails.

2. Adjust Canonicalization Settings

After auditing the settings of the current email setup, make necessary adjustments to them. If you are using the simple canonicalization method, then switch to the relaxed algorithm so that there is some leniency for minor alterations like white space or changes in font. This will minimize the instances of false positives for genuine emails sent from your domain. 

3. Test the Configurations

Before updating the modifications for all the emails sent from your domain, monitor the delivery rate and DKIM failure reports to evaluate whether you still need to make any changes. Remember to include multiple content types and formats to determine the effect of the changes.

4. Monitor and Validate

Once you’ve updated your email settings, keep an eye on how well your emails are getting through, and watch out for any DKIM issues. This helps you make sure your changes are helping your emails reach their destination and staying safe from tampering.

Now that you see how DKIM can stop people from faking your emails and messing with them, it’s time to take action! If you’re finding all this DKIM stuff a bit confusing, don’t worry—it’s not as tricky as it seems, but it’s important to get it right. You can count on our experts at DMARCReport to make sure your emails are secure and trustworthy, so they can’t be tampered with or faked. Ready to make sure your emails are safe and sound? Reach out to us to find out how we can help you manage and protect your email systems with ease.

Similar Posts