DKIM glossary
What does c=relaxed/relaxed mean in a DKIM signature?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
c=relaxed/relaxed sets canonicalization for a DKIM signature — how much the header and body are normalized before hashing. relaxed tolerates whitespace and header-case changes; simple demands a byte-exact match. relaxed/relaxed is the pragmatic default because mail servers routinely reflow whitespace in transit.
c=relaxed/relaxed at a glance | |
|---|---|
| Tag | c (canonicalization) |
| Valid values | header/body, each simple or relaxed — e.g. relaxed/relaxed, simple/simple, relaxed/simple |
| Default | If c= is omitted, DKIM defaults to simple/simple (the strict, byte-exact mode). |
| Where it goes | In the DKIM-Signature header, expressed as header-algo/body-algo. |
How c=relaxed/relaxed works
Before hashing, DKIM canonicalizes the message — normalizes it — so trivial changes don't automatically break the signature. The c= tag sets two algorithms at once: one for the headers, one for the body, written header/body.
simple is byte-exact: change a single character, even whitespace, and the hash no longer matches. relaxed is more forgiving — it collapses runs of whitespace and tolerates header-case changes and folding. relaxed/relaxed is the pragmatic default because mail servers and gateways routinely reflow whitespace and rewrap headers in transit.
simple canonicalization is exactly why some signatures break in flight with no one at fault: a legitimate relay lightly reformats the message, the byte-exact hash fails, and DKIM reports a failure even though the content is genuine. Choosing relaxed removes most of that fragility.
Correct record vs common mistake
Correct
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; ...Relaxed canonicalization on both header and body tolerates the whitespace and header changes that normal mail routing introduces.
Common mistake
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com; ...Byte-exact on both sides. Any relay that reflows whitespace or rewraps a header breaks the hash — legitimate mail can fail DKIM through no fault of the sender.
Troubleshooting c=relaxed/relaxed
| Issue | Likely cause | Fix |
|---|---|---|
| Signatures break after forwarding | simple canonicalization fails on any whitespace or header change in transit | Switch signing to relaxed/relaxed so routine reformatting no longer breaks the hash |
| Body hash fails on some paths only | A gateway reflows the body; simple body canonicalization can't tolerate it | Use relaxed body canonicalization; also check for gateways appending footers |
| Intermittent, unreproducible DKIM failures | Fragile canonicalization interacting with specific relays | Move to relaxed/relaxed and re-check reports; failures from reformatting should clear |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
When client mail flows through forwarders, security gateways, or mailing lists, simple canonicalization turns routine reformatting into DKIM failures. Multiply that across tenants and you get intermittent, hard-to-reproduce failures that look like a spoofing problem but are really a canonicalization choice.
Trusted by MSPs
“Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.”
Alvin Kalli — CSIO, MSP Corp

































Enforce it — don't just monitor it
Palisade reads the pass/fail pattern in each client's reports, so signatures breaking from fragile canonicalization stand out — letting you fix the setup before it costs the domain a clean path to reject.
Free 15-day trial · No credit card · Your own domain free forever (NFR)