• DKIM
  • email security
  • Spam

What is a DKIM Replay Attack?

How to strengthen your email authentication and protect against domain abuse

Malicious actors are always exploring new ways to access email inboxes. Over the past few years, cyber criminals have been using a method known as a ‘DKIM Replay Attack’, in which high reputation mailboxes are used to generate a legitimate message signature, which can then be amplified (or replayed) multiple times to send spam messages. Recipients using Gmail are particularly at risk to this type of attack since they give a lot of weight to domain reputation.

What is a DKIM replay attack?

To understand DKIM replay attacks, we first need to understand what DKIM does. DKIM, or “DomainKeys Identified Mail” (defined in RFC 6376), is a mechanism to sign and authenticate an email with public/private key pairs by signing one or more headers in an email. 

However, the flexibility of the technology allows a DKIM signature domain to be different to the domain in the from header. If the DKIM signature is verified, this only confirms that the message went through the signing domain’s mail servers and has not been modified since, despite the message not originating from where it claims to. 

If an attacker can create or otherwise gain access to a mailbox using a domain with a high reputation, that attacker only needs to send a single email from that high reputation domain to another mailbox they control. This message can then be used to re-broadcast a message to recipients not originally intended by the original author.

How can you strengthen your signing to prevent being a victim?

There are multiple ways to leverage mechanisms within the DKIM specification to make sure you are not vulnerable to DKIM replay attacks. It’s worth noting that most, if not all, of these methods will depend on your email provider’s DKIM signing settings, if you do not host your own. You are encouraged to ask your ESP (Email Service Provider) whether they perform any of the strategies within this blog post.

The first mitigation strategy, and possibly the easiest for ESPs to implement, is to oversign headers. This is particularly important for headers that, if modified, would cause the message to fail DKIM authentication.

Consider the key snippet below, in which you can see that only three headers are included in the signature: message-id, date and from

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=20210112;
h=message-id:date:from; bh=1Gi...6+FidE=; b=Qpozy...4qMw==

This means the attacker just needs to keep those fields the same to keep the DKIM signature intact, and they can change all the other headers (including the subject!).

Let’s take the following signature from Google, where you can see that they sign nearly every header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=redsift.io; s=google; t=1692646848; x=1693251648; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject:date:message-id:reply-to;bh=nfCPN8ZH96qE7/cjuGo1YMrjN7ITuZjKcbvBaUe8zp4=;

By oversigning headers, you make it much harder to add or change headers, making this attack less attractive to malicious actors.

Another mitigation strategy is to use key timestamps and expiration dates. There are two tags in the DKIM specification; one indicating the time that a signature was added, and the other indicating the expiration for that signature. 

Take the example below:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=20210112; t=1665514330; x=1665812312;
  • The tag t= represents the signature’s creation time as a Unix epoch timestamp
  • The tag x= represents the signature’s expiration time as a Unix epoch timestamp

You could also use reputation-based indicators and use different selectors for different kinds of accounts. For example, high-risk accounts have DKIM signatures that expire 10 minutes after signing, while low-risk accounts have DKIM signatures that expire in 24 hours. 

On a similar note, rotating your keys will also help mitigate DKIM replay attacks, for which you can find out more information in this blog post.

Lastly, you can use selectors as feedback mechanisms. To achieve this, you’ll need to tag high risk or trial accounts with a different DKIM selector and track excessive usage of the selector via DMARC reports. DMARC reporting software such as OnDMARC can support you if you decide to use this method.

What are the consequences of DKIM replay attacks?

If a cyber criminal successfully replays a message and replaces the content with spam or other malicious content, spam filters would start picking up the signals and would catch up with the influx of replayed spam messages. If it’s a large or sustained enough campaign, the reputation of the signing domain will be negatively impacted, and legitimate, clean messages will be sent to spam (or even possibly outright blocked).

If you’re still skeptical about DKIM practices and management, then head out to our investigate tool to know about errors and ways to fix them.

check email dmarc setup

PUBLISHED BY

Faisal Misle

1 Sep. 2023

SHARE ARTICLE:

Categories

Email

Related articles

Red Sift’s Quarterly Product Release, Fall 2025Red Sift’s AI Agent, Part III: Performance in action41% of top Fintech companies are vulnerable to email phishingNew in Certificates Lite: Active certificate scanning and smarter expiry alertsRed Sift’s AI Agent, Part II: Optimization for accuracy and scale

Recent Posts

VIEW ALL
Product Release
5 Nov. 2025

Red Sift’s Quarterly Product Release, Fall 2025

Francesca Rünger-Field

This Fall marks a major expansion of Red Sift Brand Trust with the launch of Social Media Monitoring, a new add-on that helps organizations detect and respond to fraudulent company and executive profiles across platforms such as Facebook, Instagram, LinkedIn, TikTok, and X. By extending protection beyond domains, Brand Trust now gives security teams…

Read more
AI
22 Oct. 2025

Red Sift’s AI Agent, Part III: Performance in action

Phong Nguyen

This is the third article in our AI Agent series. In Part 1, we introduced Red Sift’s AI Agent for lookalike classification – an intelligent solution for handling the ambiguous cases that rule-based automation can’t confidently resolve, offering analyst-grade triage autonomously. In Part 2, we took readers behind the scenes to explore the engineering…

Read more
Finance
20 Oct. 2025

41% of top Fintech companies are vulnerable to email phishing

Jack Lilley

Only 26% of leading Fintechs enforce DMARC at p=reject, the strongest protection against spoofing by bad actors. Phishing remains a top driver of breaches and fraud. Financial services are a prime target because email moves money, resets passwords, and confirms identity. Verizon’s 2025 Data Breach Investigations Report again lists social engineering and phishing among…

Read more
Certificates
16 Oct. 2025

New in Certificates Lite: Active certificate scanning and smarter expiry alerts

Francesca Rünger-Field

A quick recap Earlier this year, we launched Red Sift Certificates Lite, the free TLS certificate expiration monitoring service recommended by Let’s Encrypt. Since launch, thousands of organizations have adopted it to track their certificates and avoid expiry-related outages. What we heard from customers At launch, we had adopted Let’s Encrypt’s approach for consistency…

Read more
Red Sift Logo

PLATFORM

The Red Sift Pulse Platform

Internet-scale cybersecurity intelligence meets trusted AI.
OnDMARC

Protect against phishing and BEC attacks.
Brand Trust

Stop brand abuse, fraud and lookalike attacks.
ASM

Continuously discover and manage external-facing and cloud assets.
Certificates

Real-time discovery and seamless monitoring for certificates.

INNOVATION

CUSTOMERS

Resources

Company