Why would I choose simple over relaxed canonicalization for DKIM?

James A. Rosen picture James A. Rosen · Dec 28, 2011 · Viewed 10.1k times · Source

DKIM supports two canonicalization schemes: relaxed and simple. The former is more lenient and allows for intermediary mailers to modify the email to a limited degree.

The only data I could find is a survey of implementations that shows the vast majority of email senders using relaxed canonicalization both for headers and body. (Noticeable fewer use relaxed for the body, but it's still a definite majority.)

The DKIM specification says that all clients have to support both canonicalization forms if they support DKIM, so that doesn't seem like a major factor. Both schemes allow intermediaries to add headers. The only distinction I can tell is in the handling of the case of header names (not values) and the whitespace within a header. Given that, it seems like relaxed will always have at least as good deliverability, which is the aim of DKIM.

(Of course, if I want to actually sign my emails to attest to their contents, I'd use S/MIME and certificates. DKIM is strictly about deliverability, right?)

Answer

Greg Hewgill picture Greg Hewgill · Dec 28, 2011

I suppose that simple canonicalization is available as a choice for senders who wish to have a less computationally intensive signing method, at the possible cost of some deliverability. The difference in complexity isn't that much, but it might make an appreciable difference for large bulk senders.