--- title: "DKIM replay attacks: Why not all emails should be signed | DuoCircle" description: "DKIM replay attacks: Why not all emails should be signed." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/email-security/dkim-replay-attacks-why-not-all-emails-should-be-signed/" --- Quick Answer A DKIM replay attack works by taking a legitimately signed bulk message (a newsletter, promo, or other generic email), then resending the same signed message to new targets. Because DKIM only proves the content was not modified in transit, the signature stays valid no matter who receives it, and security filters see DKIM=pass. Mass marketing emails are the highest-risk category to sign because their content is generic, archived publicly, and easy for attackers to obtain. Transactional mail (password resets, order confirmations, invoices) should always be DKIM-signed because the content is user-specific and replay value is low. For bulk marketing mail, options include shorter-lived DKIM keys, frequent rotation, and adding per-recipient elements that make replayed copies useless. DKIM should always be combined with SPF and DMARC so alignment checks limit how far an unaligned replay can travel. DKIM replay attacks: Why not all emails should be signed Your browser does not support the audio element. [ Download episode](https://media.mailhop.org/duocircle/images/2025/05/DKIM-replay-attacks-Why-not-all-emails-should-be-signed.mp3) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fdkim-replay-attacks-why-not-all-emails-should-be-signed%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=DKIM%20replay%20attacks%3A%20Why%20not%20all%20emails%20should%20be%20signed&url=undefined%2Fblog%2Femail-security%2Fdkim-replay-attacks-why-not-all-emails-should-be-signed%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fdkim-replay-attacks-why-not-all-emails-should-be-signed%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fdkim-replay-attacks-why-not-all-emails-should-be-signed%2F&title=DKIM%20replay%20attacks%3A%20Why%20not%20all%20emails%20should%20be%20signed "Share on Reddit") [ ](mailto:?subject=DKIM%20replay%20attacks%3A%20Why%20not%20all%20emails%20should%20be%20signed&body=Check out this article: undefined%2Fblog%2Femail-security%2Fdkim-replay-attacks-why-not-all-emails-should-be-signed%2F "Share via Email") ![dim replay attack](https://media.mailhop.org/duocircle/images/2025/05/spf-validator-9076.jpg) Attackers often outsmart the [cybersecurity](/) custodians, and a DKIM replay attack is one such technique exploited by them to sign, seal, and send fraudulent emails using a valid DKIM signature. What basically happens in a DKIM replay attack is that a cybercriminal takes a [legitimate email](https://www.trendmicro.com/vinfo/us/security/definition/legitimate-bulk-emails) that was properly signed with DKIM, like a newsletter or promo email, and then resends it repeatedly to different people. Since the DKIM signature is valid and untampered, the fake emails pass through **DKIM security filters** and get delivered to the inboxes of targeted recipients. This leads to successful phishing, spoofing, and [BEC attacks](https://www.bleepingcomputer.com/news/security/hackers-impersonate-us-government-agencies-in-bec-attacks/). A DKIM replay attack is so stealthy and convincing that even [Google](https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html) wasn’t immune to being **exploited in April 2025**. That’s exactly why it’s suggested to limit the use of [DKIM signatures](https://docs.mapp.com/docs/dkim-signature), especially for general marketing emails. ## Why are general marketing emails prime targets? Marketing emails like the ones that include newsletters, announcements, and event invites are easily accessible by many recipients and often lack user-specific content. Since these are archived online or in inboxes, cyberattackers can easily obtain them. [![marketing emails ](https://media.mailhop.org/duocircle/images/2025/05/spf-record-1111.jpg)](https://media.mailhop.org/duocircle/images/2025/05/spf-record-1111.jpg) _So, when these emails are signed by DKIM, the signature only proves that nobody tampered with the email content in transit_. So, there is no method involved in DKIM that verifies if the sender is really who they are claiming to be, this is something that [malicious attackers](https://cyberscoop.com/deepseek-website-malicious-attack-ai-china/) take advantage of. So, if they get their hands on an email with a valid DKIM signature, they resend it to multiple people. Since the content is the same for everyone, **security systems** don’t find anything faulty or suspicious. ## What should be DKIM signed vs what shouldn’t? When deploying DKIM, it’s important that you consider which category of emails should be signed. Signing every **outgoing email** can backfire. Here’s what to consider- [![Unmasking DKIM Replay Attacks](https://media.mailhop.org/duocircle/images/2025/05/spf-permerror-9043.jpg)](https://media.mailhop.org/duocircle/images/2025/05/spf-permerror-9043.jpg) ### Always sign transactional emails Transactional emails, like password resets, order confirmations, account activity alerts, and invoices, should absolutely be DKIM-signed. These kinds of messages contain sensitive details, and if they get tampered with in transit, they can lead to grave cyberattacks. Moreover, these messages have unique, **user-specific details**, so there is a far lower possibility that a threat actor will abuse them for [DKIM replay attacks](https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/). ### Reconsider signing mass marketing emails **Mass marketing emails**, like newsletters or promos, are a bit tricky. They’re sent to everyone, have generic content, and are easy to find. If you DKIM-sign them, you’re basically giving attackers a green signal to reuse that signature. They can resend the same email to others, and it still passes as legit. Since the email isn’t personalized, [spam filters](https://www.techtarget.com/searchsecurity/definition/spam-filter) don’t catch anything fishy. So, don’t just sign every email by default. For bulk marketing emails, either skip [DKIM](/resources/what-is-dkim) or use short-term keys. Better yet, add user-specific details or one-time links to make replay attacks harder. ## Mitigating DKIM replay risks Following the [best practices for using, managing, and storing DKIM keys](/email-security/best-practices-to-follow-for-managing-dkim-keys/) helps you ward off most DKIM-oriented attacks. So, start by using longer keys with **shorter validity and rotate** them frequently, this ensures that even if your keys are stolen, an attacker can’t keep abusing them for long. Moreover, don’t use DKIM in isolation; instead, use it in tandem with SPF and [DMARC](/resources/what-is-dmarc). SPF will help **verify the sender’s legitimacy**, while DMARC will instruct receiving [mail servers](https://www.activecampaign.com/glossary/mail-server) to quarantine or reject potentially fraudulent messages sent by impersonating your domain. If you want our help deploying and managing [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/), DKIM, and DMARC, [reach out to us](/contact). We have a **team of experts** ready to defend your [email infrastructure](https://www.voilanorbert.com/blog/email-infrastructure/). ## Topics cyber securityDKIMDMARCemail marketingSecurityspf ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ Email Security 12m DMARC, SPF, and DKIM in 2026: Why Email Authentication Is Now a Regulatory Requirement, Not Just a Best Practice Apr 29, 2026 ](/blog/dmarc-spf-dkim-2026-email-authentication-regulatory-requirement-best-practice/)[ Email Security 6m 3 emerging AI-powered cyber threats and how to stay protected from them in 2025 Jun 27, 2025 ](/blog/email-security/3-ai-powered-cyber-threats-2025-and-how-to-stay-safe/)[ Email Security 4m A practical guide on checking your email health Dec 26, 2025 ](/blog/email-security/a-practical-guide-on-checking-your-email-health/)[ Email Security 8m Best practices to make Privileged Account and Session Management a breeze Jan 7, 2025 ](/blog/email-security/best-practices-for-simplifying-privileged-account-and-session-management/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"DKIM replay attacks: Why not all emails should be signed","description":"DKIM replay attacks: Why not all emails should be signed.","url":"https://www.duocircle.com/blog/email-security/dkim-replay-attacks-why-not-all-emails-should-be-signed/","datePublished":"2025-05-27T19:06:11.000Z","dateModified":"2025-05-27T19:07:27.000Z","dateCreated":"2025-05-27T19:06:11.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/dkim-replay-attacks-why-not-all-emails-should-be-signed/"},"articleSection":"email-security","keywords":"cyber security, DKIM, DMARC, email marketing, Security, spf","wordCount":596,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/05/spf-validator-9076.jpg","caption":"dim replay attack","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"DKIM replay attacks: Why not all emails should be signed","item":"https://www.duocircle.com/blog/email-security/dkim-replay-attacks-why-not-all-emails-should-be-signed/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"DKIM replay attacks: Why not all emails should be signed","item":"https://www.duocircle.com/blog/email-security/dkim-replay-attacks-why-not-all-emails-should-be-signed/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"DKIM replay attacks: Why not all emails should be signed","description":"DKIM replay attacks: Why not all emails should be signed.","url":"https://www.duocircle.com/blog/email-security/dkim-replay-attacks-why-not-all-emails-should-be-signed/","datePublished":"2025-05-27T19:06:11.000Z","dateModified":"2025-05-27T19:07:27.000Z","dateCreated":"2025-05-27T19:06:11.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/dkim-replay-attacks-why-not-all-emails-should-be-signed/"},"articleSection":"email-security","keywords":"cyber security, DKIM, DMARC, email marketing, Security, spf","wordCount":596,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/05/spf-validator-9076.jpg","caption":"dim replay attack","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```