DKIM glossary

What does c=relaxed/relaxed mean in a DKIM signature?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

c=relaxed/relaxed sets canonicalization for a DKIM signature — how much the header and body are normalized before hashing. relaxed tolerates whitespace and header-case changes; simple demands a byte-exact match. relaxed/relaxed is the pragmatic default because mail servers routinely reflow whitespace in transit.

c=relaxed/relaxed at a glance
Tagc (canonicalization)
Valid valuesheader/body, each simple or relaxed — e.g. relaxed/relaxed, simple/simple, relaxed/simple
DefaultIf c= is omitted, DKIM defaults to simple/simple (the strict, byte-exact mode).
Where it goesIn the DKIM-Signature header, expressed as header-algo/body-algo.

How c=relaxed/relaxed works

Before hashing, DKIM canonicalizes the message — normalizes it — so trivial changes don't automatically break the signature. The c= tag sets two algorithms at once: one for the headers, one for the body, written header/body.

simple is byte-exact: change a single character, even whitespace, and the hash no longer matches. relaxed is more forgiving — it collapses runs of whitespace and tolerates header-case changes and folding. relaxed/relaxed is the pragmatic default because mail servers and gateways routinely reflow whitespace and rewrap headers in transit.

simple canonicalization is exactly why some signatures break in flight with no one at fault: a legitimate relay lightly reformats the message, the byte-exact hash fails, and DKIM reports a failure even though the content is genuine. Choosing relaxed removes most of that fragility.

Correct record vs common mistake

Correct

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; ...

Relaxed canonicalization on both header and body tolerates the whitespace and header changes that normal mail routing introduces.

Common mistake

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com; ...

Byte-exact on both sides. Any relay that reflows whitespace or rewraps a header breaks the hash — legitimate mail can fail DKIM through no fault of the sender.

Troubleshooting c=relaxed/relaxed

IssueLikely causeFix
Signatures break after forwardingsimple canonicalization fails on any whitespace or header change in transitSwitch signing to relaxed/relaxed so routine reformatting no longer breaks the hash
Body hash fails on some paths onlyA gateway reflows the body; simple body canonicalization can't tolerate itUse relaxed body canonicalization; also check for gateways appending footers
Intermittent, unreproducible DKIM failuresFragile canonicalization interacting with specific relaysMove to relaxed/relaxed and re-check reports; failures from reformatting should clear

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

When client mail flows through forwarders, security gateways, or mailing lists, simple canonicalization turns routine reformatting into DKIM failures. Multiply that across tenants and you get intermittent, hard-to-reproduce failures that look like a spoofing problem but are really a canonicalization choice.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade reads the pass/fail pattern in each client's reports, so signatures breaking from fragile canonicalization stand out — letting you fix the setup before it costs the domain a clean path to reject.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

It sets DKIM canonicalization to relaxed for both the header and the body — the message is normalized (whitespace collapsed, header case tolerated) before hashing, so ordinary reformatting in transit doesn't break the signature.

Simple is byte-exact — any change breaks the hash. Relaxed tolerates whitespace collapsing and header-case or folding changes. Relaxed is more robust across real mail routing.

relaxed/relaxed for most senders. It survives the whitespace and header reflowing that relays and gateways routinely apply, so fewer legitimate messages fail DKIM.

If the c= tag is omitted, DKIM defaults to simple/simple — the strict, byte-exact mode. Most senders set relaxed/relaxed explicitly instead.

Related terms

What is DKIM? DomainKeys Identified Mail explained