Resolving DKIM Signature Verification Failures Due to Canonicalization Issues
DomainKeys Identified Mail (DKIM) is an email security standard designed to help prevent email spoofing. It works by adding a “tamper-proof” seal to email messages, ensuring their authenticity and integrity. However, sometimes legitimate emails fail DKIM signature verification due to canonicalization issues, leading to email delivery problems. This article explains how to resolve these issues by adjusting DKIM canonicalization settings on your email gateway systems.
Below is a representation of how DKIM works in an email infrastructure:
Here’s a brief DKIM overview to help you understand its role in email authentication and DMARC.
Understanding DKIM Canonicalization
Canonicalization in DKIM refers to the method used to prepare an email’s header and body for signing. According to RFC 6376 Section 3.4, there are two canonicalization algorithms for header and body: simple and relaxed. The choice between these settings affects how strictly the email’s content must match the sending and receiving ends for the DKIM signature to be considered valid.
- Simple canonicalization: Imagine ensuring every element of an email matches precisely, like two identical puzzles. Any minor change, like a shifted puzzle piece, could cause a mismatch. This strictness can lead to verification errors due to small, often harmless, alterations in the email’s path to its destination.
- Relaxed canonicalization: Think of it like assembling a puzzle where the pieces vary slightly in size. As long as the pieces fit together well enough to complete the overall image, minor variations in how each piece is cut or fits are acceptable. This reduces the risk of DKIM verification issues in an email environment for minor email format alterations.
Problem
A common issue with DKIM signature verification failures can originate from using simple canonicalization. When an email passes through various mail gateways, its content might be reformatted (e.g., changes in linefeeds, whitespace). If the DKIM signing profile is set to simple/simple canonicalization, even minor modifications can cause the DKIM signature to not match, leading to verification failures.
Solution
Switching the header canonicalization from simple to relaxed while keeping the body canonicalization simple can mitigate this issue. This change allows for slight whitespace and line formatting modifications without invalidating the DKIM signature.
Implementation Steps
- Review your current configuration: Identify your email gateway’s current DKIM signing profiles and check if they are set to use simple/simple canonicalization for headers and bodies.
- Adjust canonicalization settings: Change the header canonicalization setting from simple to relaxed. Then, evaluate whether you also wish to change the body canonicalization.
- Test the configuration: Before applying the change broadly, test the new configuration with a small group of users or email streams to ensure it resolves the signature verification issue without introducing new problems.
- Monitor and validate: After applying the new settings, monitor your email delivery rates and check for any reports of DKIM verification issues. Validate that the change does not affect the overall email deliverability and integrity.
A lesson from the past
Some time ago, a notable bank chose simple canonicalization for its DKIM configuration, a decision driven by the security team’s evaluation of the options. The team deemed relaxed canonicalization unacceptable based on their standards. In reality, the security team lacked a deep understanding of this choice and simplified their decision based on semantics: “relaxed” just didn’t seem good for their security posture.
Looking back, the security team could have avoided such misunderstandings by labeling the options option 1 and option 2 instead. Practically speaking, relaxed canonicalization often proves more advantageous in enhancing the chances of successful email verification. This highlights how technical details are more important than the names we give them.
Switching to relaxed canonicalization for headers (and possibly bodies) can resolve issues with DKIM signature verification failures due to minor alterations in email formatting during transit. This adjustment can improve the acceptance rate of emails by receiving servers without compromising their security or integrity.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.
