Email authentication isn’t just an IT concern. It protects your brand and customers. A single misstep can let attackers spoof your domain, send phishing emails, and destroy customer trust. One of the most dangerous methods? The DKIM replay attack.
In this post, we’ll break down how undersigned DKIM keys and related misconfigurations open your domain to abuse—and what you can do to stop it.
What is a DKIM replay attack?
DKIM (DomainKeys Identified Mail) signs outgoing email headers and body using public/private key cryptography. Receiving servers verify the DKIM signature by checking your DNS-published public key. If valid, the email is authenticated.
However, DKIM only verifies that the content hasn’t changed—not who sent it. Enter Domain-based Message Authentication, Reporting & Conformance (DMARC), which links the “From” domain with the DKIM or through the return path for the Sender Policy Framework (SPF) domain to validate the sender. Still, if DKIM passes and aligns, DMARC passes.
A DKIM replay attack abuses this. An attacker captures one valid DKIM-signed email and resends it, often with modifications. Because the signature is valid and aligned, receiving servers accept the message. Your brand gets blamed.
Why it’s hard to detect
DKIM has no concept of delivery history. If a valid signature is replayed to new recipients, it still verifies. In this case, traditional protection methods including DMARC will not stop it because the replay attack passes DKIM authentication, and is the whole purpose of using a vulnerable key. Many spam filters will initially trust the email, especially if your domain has a good reputation.
By the time complaints surface, your domain may already be flagged. Trust erodes. Spam filters get aggressive. Real emails land in junk folders. Your customers lose faith.
Undersigned DKIM: Your first weak point
One of the most common DKIM mistakes is undersigning—when the signature doesn’t cover enough of the email. DKIM lets you choose which headers and how much of the body to sign. If you don’t sign enough, attackers can tamper with the rest and still pass DKIM checks.
Two ways this happens:
1. Skipping key headers: The h= tag in the DKIM signature lists which headers are signed. If you only sign a few—like From, Date, and Message-ID—you leave others, like Subject or To, unprotected. That gives attackers room to change the subject line or redirect the message to other recipients without breaking the signature.
2. Using the l= tag (partial body signing): The l= tag tells receivers to validate only the first part of the email body. That means attackers can append malicious content after the signed portion—spam, phishing links, or fake replies—and the message still passes DKIM.
Undersigning makes it easy to replay and manipulate your emails. Always sign the full message body and all critical headers to shut down this vulnerability.
Weak vs. Strong DKIM Signing: Let’s look at two DKIM-Signature header examples.
- Undersigned Example: Only a few headers are signed, and a body length limit is used:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=mail; c=relaxed/relaxed;
h=message-id:date:from;
bh=...; l=1024; b=...
What’s happening? Here the signer included only Message-ID, Date, From headers in h=. The Subject header is absent, meaning it’s not protected. The l=1024 means only the first 1024 bytes of the body are signed. An attacker who obtains this email could replay it and:
- Change the Subject line or add a fraudulent header (like a fake Reply-To) without affecting the DKIM check.
- Append new content after 1024 bytes in the body—potentially adding a malicious URL or an entire new message—while the original signature (covering the first part of the body) still validates.
In this scenario, the attacker only needs to keep the signed fields identical to the original (Message-ID, Date, From, and the first 1024 bytes of the body) to retain a valid DKIM signature. Everything else can be forged freely.
- Fully (Over)signed Example: Important headers are double-signed and no body length limit is used:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=secure; c=relaxed/relaxed;
h=from:subject:date:to:cc:message-id:from:subject:date:to:cc:message-id;
bh=...; b=...
In this example, the sender oversigned headers—adding each key field (like Subject, From, Date) twice in the DKIM h= tag. This tells verifiers: “These are the only versions of these headers—don’t allow any others.” If someone tries to sneak in a new Subject header, DKIM fails. No l= tag is used either, so the entire message body is signed—nothing can be added without breaking the signature.
Many providers, like Gmail, already do this. But some systems still undersign by default. As an admin, double-check your setup. Make sure all critical headers are signed, the full body is covered, and ask your ESP directly: Do you oversign headers? Do you use the l= tag? If they can’t give a clear answer, that’s a red flag.
Other misconfigurations that invite abuse
1. Long-lived keys: Never rotating keys means signatures remain valid forever. Rotate DKIM keys at least annually. Use 2048-bit keys and publish expiration dates (x= tag) where possible.
2. Overused selectors: Avoid using the same DKIM key across all systems—if one gets compromised, attackers can sign mail for your entire domain. Use separate selectors for different mail streams and services to contain risk. Set the t=s flag to prevent keys from signing for subdomains they shouldn’t.
3. Wildcard DKIM records: Avoid wildcard TXT records that could include DKIM keys. They could confuse verifiers and can be exploited to apply keys where none should exist.
How DKIM replay attacks happen
- Steal a signed email: Attackers start by getting a legitimate DKIM-signed email from a high reputation domain to an account they control. They might phish a user, abuse a trial account, or exploit a public mailing list—anything that gets them one signed message.
- Modify what’s not protected: Once they have the email, they prep it for replay. If your DKIM signature didn’t cover headers like Subject or To, or used the l= tag to partially sign the body, attackers can tweak the message—change the subject, add malicious content, or redirect replies—without breaking the DKIM signature.
- Blast it out: They then send that modified email to thousands using their own servers. SPF fails (because the IPs aren’t yours), but DKIM still passes and aligns with your domain. That’s enough for DMARC to approve it.
- Slip past filters: At first, spam filters trust your domain and deliver the messages. If the content is subtle and the volume doesn’t immediately raise alarms, those emails land in inboxes—possibly even showing your BIMI logo for added legitimacy.
- Reputation damage: Eventually, filters catch on. But by then, it’s too late. Your domain reputation is hit. Real users flag your brand as spammy, and future emails could land in junk. One attack can ruin years of sender trust.
Replay attacks don’t require breaking DKIM encryption—they just exploit weak setups and the fact that a signed email can be reused. That’s why tightening your DKIM configuration is critical.
Lessons from real examples
In 2023, Proton Mail faced a DKIM replay attack. Attackers replayed a spam message signed by Proton’s DKIM key to Gmail users. It passed DKIM, DMARC, and even showed Proton’s BIMI logo.
The fix? Proton Mail rotated their DKIM keys, invalidating the replayed messages. They also used header oversigning to stop future tampering. Gmail eventually adjusted filters, but not before damaging Proton Mail’s reputation.
In 2024, researchers at Zone.eu showed how easy it is to exploit undersigned DKIM setups. They modified real DKIM-signed emails from Fortune 500 companies by adding new MIME content—thanks to unsigned headers and partial body signing. The forged emails passed DKIM and DMARC, displayed verified BIMI logos, and landed in inboxes undetected. This wasn’t sloppy security—it was a protocol gap.
DKIM replay attacks aren’t just theory—they’re happening now. Spamhaus and others have spotted attackers signing emails through platforms like Microsoft 365, then blasting them from rogue servers. Since the DKIM signature is valid, the emails get through—abusing your brand’s reputation. Experts warn this threat is rising fast, and current defenses aren’t enough. The solution starts with stronger DKIM configurations.
How to stay protected
- Sign all critical headers, and then oversign them: Oversign headers to prevent header injection. Cover: From, To, Subject, Date, Cc, Message-ID, and Reply-To.
- Avoid l= tag in body signing: Always sign the full message body. Don’t leave room for attackers to append malicious content.
- Use strong, rotating keys: Move to 2048-bit RSA keys. Rotate them annually. Remove old keys from DNS.
- Isolate selectors: Use different selectors for different mail streams (marketing vs. transactional).
- Protect your unused domains: Publish p=reject on unused domains right away.
- Monitor your domain’s email traffic: Use DMARC aggregate reports to track anomalies. Tools like Red Sift Investigate and OnDMARC simplify this. If you are an email provider, consider adding an identifier into your keys for high risk pools and monitor them using DMARC reports.
- Secure user accounts and mail servers: Enforce MFA, monitor for anomalies, and limit outbound volumes to spot abuse early.
Use Red Sift to stay ahead
Managing DKIM can feel overwhelming, but Red Sift makes it simple. Start with Investigate, a free tool that scans your email headers and DNS for common misconfigurations.
Use it as a quick health check for your email setup. You’ll get insights into DKIM, SPF, and DMARC in one report, and spot issues like permissive policies or missing records fast.Want ongoing protection? Red Sift OnDMARC builds on this with continuous monitoring and actionable guidance—so you can stay ahead of misconfigurations and block replay attacks before they damage your reputation.
