---
title: "How do DKIM replay attacks happen? | DuoCircle"
description: "DKIM replay attacks reuse a legitimately signed message to spoof your domain at scale. Here"
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/email-security/how-do-dkim-replay-attacks-happen/"
---

Quick Answer

A DKIM replay attack reuses a legitimately signed message to send phishing or spam from a different server. The attacker captures a real message signed by the target domain, often by subscribing to a newsletter or intercepting one, then resends the same body and DKIM-Signature header from new infrastructure. Because DKIM only verifies that headers and body match what was signed, the signature still validates and the message passes authentication, even though SPF for the new sender often fails. To detect this, watch for DKIM-pass with SPF-fail patterns in DMARC reports and unusual sending volume spikes. To prevent it, rotate DKIM keys every few weeks, use separate selectors per service or campaign, add expiration timestamps where supported, and enforce DMARC at p=quarantine or p=reject.

How do DKIM replay attacks happen?

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/10/How-do-DKIM-replay-attacks-happen.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fhow-do-dkim-replay-attacks-happen%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20do%20DKIM%20replay%20attacks%20happen%3F&url=undefined%2Fblog%2Femail-security%2Fhow-do-dkim-replay-attacks-happen%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fhow-do-dkim-replay-attacks-happen%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fhow-do-dkim-replay-attacks-happen%2F&title=How%20do%20DKIM%20replay%20attacks%20happen%3F "Share on Reddit") [ ](mailto:?subject=How%20do%20DKIM%20replay%20attacks%20happen%3F&body=Check out this article: undefined%2Fblog%2Femail-security%2Fhow-do-dkim-replay-attacks-happen%2F "Share via Email") 

![DKIM replay attacks](https://media.mailhop.org/duocircle/images/2025/10/smtp-relay-6780.jpg) 

DKIM was designed to **ensure email integrity**. You sign the message, verify that it came from your domain, and trust that no one can tamper with it. But attackers have found a way to turn this mechanism against domain owners through something called a [DKIM replay attack](https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html). By capturing a legitimately signed message and resending it later, they can make phishing emails appear authentic and easily bypass both [DKIM](/resources/what-is-dkim) and DMARC checks.

This article explains how DKIM replay attacks actually work, why your signatures can still be reused even when your **email setup seems secure**, and what practical steps you can take to detect and prevent such attacks in the future.

## How are DKIM signatures reused or replayed?

To begin with, [cyberattackers](https://www.darkreading.com/cyberattacks-data-breaches/cyberattackers-target-lastpass-password-managers) get hold of an email that is already signed with a valid DKIM key, usually by subscribing to a public newsletter or intercepting a message sent from the target domain. 

[![cyberattackers](https://media.mailhop.org/duocircle/images/2025/10/spf-record-4501.jpg)](https://media.mailhop.org/duocircle/images/2025/10/spf-record-4501.jpg)

_Then they copy the DKIM signature and the message content, and then resend the same email from another server_. In this case, they keep the original DKIM header intact.

Since the signature still matches the **body and headers**, receiving mail servers think the message is legitimate. The reason this works is that [DKIM](/resources/what-is-dkim) only verifies that the message wasn’t tampered with after it was signed; it doesn’t verify who actually sent it again.

As a result, replayed messages pass authentication and land safely in inboxes, often used for [phishing or spam campaigns](https://hackread.com/ongoing-phishing-campaign-targets-employees/).

This is something that happened with [Google](https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html) as well, when threat actors sent legitimate-looking subpoena-themed phishing emails that even passed Gmail’s verification filters. 

## Ways to detect DKIM replay attacks

DKIM replay attacks are hard to spot because the emails look completely legitimate but here is what you can still do-

- Monitor your outgoing email volume regularly. A sudden spike in sent emails or unusual destinations can be an early warning.
- Review [DMARC aggregate and forensic reports](/resources/dmarc-aggregate-report) often to check where your **DKIM-signed emails** are being delivered.
- Look for DKIM-pass but SPF-fail patterns. This often means someone is reusing your [DKIM signature](https://docs.mapp.com/docs/dkim-signature) from another source.

## Way to prevent DKIM replay attacks

- Rotate your DKIM keys frequently, ideally every **few weeks or months** instead of once a year. This limits the time an attacker can misuse an old key.
- Use different [DKIM selectors](/resources/what-is-dkim-selector) for each service, department, or campaign so that a single compromised selector doesn’t impact all messages.
- Add expiration timestamps in your DKIM headers or email body to ensure replayed emails become invalid after a certain time.
- If your system supports it, enable body hash randomization or one-time signing tokens to prevent attackers from reusing the same DKIM signature.
- Enforce strong SPF and DMARC policies (use p=reject or p=quarantine) to stop [spoofed or replayed messages](https://www.malwarebytes.com/blog/news/2025/04/all-gmail-users-at-risk-by-clever-replay-attack).
- Monitor authentication logs and reports continuously to catch anomalies early and respond quickly.

[![Stop Spoofed or Replayed Messages](https://media.mailhop.org/duocircle/images/2025/10/sendgrid-alternative-5602.jpg)](https://media.mailhop.org/duocircle/images/2025/10/sendgrid-alternative-5602.jpg)

## Final words

DKIM replay attacks are a reminder that even trusted [email security](/) standards have blind spots. _While DKIM helps prove message integrity, it doesn’t always prove message authenticity when reused by attackers_. The key is to stay proactive, rotate your keys often, track your domain’s activity through [DMARC reports](/content/dmarc-report), and enforce strict authentication policies. With a bit of **attention and smart configuration**, you can close the door on replay attacks before they ever reach your users’ inboxes.

## Topics

DKIMDMARCemail securitySecurityspf 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Email Security 12m  DMARC, SPF, and DKIM in 2026: Why Email Authentication Is Now a Regulatory Requirement, Not Just a Best Practice  Apr 29, 2026 ](/blog/dmarc-spf-dkim-2026-email-authentication-regulatory-requirement-best-practice/)[  Email Security 5m  Email Monitoring Tools: A Complete Guide to Protecting Your Email Ecosystem  May 7, 2026 ](/blog/email-monitoring-tools-guide-protecting-your-email-ecosystem-security/)[  Email Security 6m  5 efficient email security techniques for advanced persistent threats  Dec 3, 2024 ](/blog/email-security/5-efficient-email-security-techniques-for-advanced-persistent-threats/)[  Email Security 4m  A practical guide on checking your email health  Dec 26, 2025 ](/blog/email-security/a-practical-guide-on-checking-your-email-health/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"How do DKIM replay attacks happen?","description":"DKIM replay attacks reuse a legitimately signed message to spoof your domain at scale. Here's how attackers do it and the defenses that actually work.","url":"https://www.duocircle.com/blog/email-security/how-do-dkim-replay-attacks-happen/","datePublished":"2025-10-17T13:00:05.000Z","dateModified":"2025-10-17T13:22:14.000Z","dateCreated":"2025-10-17T13:00:05.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/how-do-dkim-replay-attacks-happen/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email security, Security, spf","wordCount":560,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/10/smtp-relay-6780.jpg","caption":"DKIM replay attacks","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"How do DKIM replay attacks happen?","item":"https://www.duocircle.com/blog/email-security/how-do-dkim-replay-attacks-happen/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"How do DKIM replay attacks happen?","item":"https://www.duocircle.com/blog/email-security/how-do-dkim-replay-attacks-happen/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"How do DKIM replay attacks happen?","description":"DKIM replay attacks reuse a legitimately signed message to spoof your domain at scale. Here's how attackers do it and the defenses that actually work.","url":"https://www.duocircle.com/blog/email-security/how-do-dkim-replay-attacks-happen/","datePublished":"2025-10-17T13:00:05.000Z","dateModified":"2025-10-17T13:22:14.000Z","dateCreated":"2025-10-17T13:00:05.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/how-do-dkim-replay-attacks-happen/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email security, Security, spf","wordCount":560,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/10/smtp-relay-6780.jpg","caption":"DKIM replay attacks","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```