How do DKIM replay attacks happen?
DKIM was designed to ensure email integrity. You sign the message, verify that it came from your domain, and trust that no one can tamper with it. But attackers have found a way to turn this mechanism against domain owners through something called a DKIM replay attack. By capturing a legitimately signed message and resending it later, they can make phishing emails appear authentic and easily bypass both DKIM and DMARC checks.
This article explains how DKIM replay attacks actually work, why your signatures can still be reused even when your email setup seems secure, and what practical steps you can take to detect and prevent such attacks in the future.
How are DKIM signatures reused or replayed?
To begin with, cyberattackers get hold of an email that is already signed with a valid DKIM key, usually by subscribing to a public newsletter or intercepting a message sent from the target domain.
Then they copy the DKIM signature and the message content, and then resend the same email from another server. In this case, they keep the original DKIM header intact.
Since the signature still matches the body and headers, receiving mail servers think the message is legitimate. The reason this works is that DKIM only verifies that the message wasn’t tampered with after it was signed; it doesn’t verify who actually sent it again.
As a result, replayed messages pass authentication and land safely in inboxes, often used for phishing or spam campaigns.
This is something that happened with Google as well, when threat actors sent legitimate-looking subpoena-themed phishing emails that even passed Gmail’s verification filters.
Ways to detect DKIM replay attacks
DKIM replay attacks are hard to spot because the emails look completely legitimate but here is what you can still do-
- Monitor your outgoing email volume regularly. A sudden spike in sent emails or unusual destinations can be an early warning.
- Review DMARC aggregate and forensic reports often to check where your DKIM-signed emails are being delivered.
- Look for DKIM-pass but SPF-fail patterns. This often means someone is reusing your DKIM signature from another source.
Way to prevent DKIM replay attacks
- Rotate your DKIM keys frequently, ideally every few weeks or months instead of once a year. This limits the time an attacker can misuse an old key.
- Use different DKIM selectors for each service, department, or campaign so that a single compromised selector doesn’t impact all messages.
- Add expiration timestamps in your DKIM headers or email body to ensure replayed emails become invalid after a certain time.
- If your system supports it, enable body hash randomization or one-time signing tokens to prevent attackers from reusing the same DKIM signature.
- Enforce strong SPF and DMARC policies (use p=reject or p=quarantine) to stop spoofed or replayed messages.
- Monitor authentication logs and reports continuously to catch anomalies early and respond quickly.
Final words
DKIM replay attacks are a reminder that even trusted email security standards have blind spots. While DKIM helps prove message integrity, it doesn’t always prove message authenticity when reused by attackers. The key is to stay proactive — rotate your keys often, track your domain’s activity through DMARC reports, and enforce strict authentication policies. With a bit of attention and smart configuration, you can close the door on replay attacks before they ever reach your users’ inboxes.