---
title: "Preventing DKIM replay attacks | DuoCircle"
description: "https://media.mailhop.org/duocircle/images/2024/07/Preventing-DKIM-replay-attacks.mp3 Threat actors bypass DKIM authentication checks with the DKIM replay attack technique."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/email-security/preventing-dkim-replay-attacks/"
---

Quick Answer

A DKIM replay attack captures a validly DKIM-signed message and resends it with new From, To, or Subject headers. Because the original signature is intact, recipient servers treat the replayed message as authenticated, so phishing or spoofing reaches inboxes instead of spam folders. The attack chain: leverage DKIM's tolerance for the signing domain differing from the From domain, take over a high-reputation mailbox, send an innocuous initial message, then re-broadcast the recorded copy to new recipients while preserving the signature. Defenses for domain owners: oversign critical headers (Date, Subject, From, To, CC), set a short DKIM expiration via the x= tag, include t= timestamps and nonces, and rotate DKIM keys regularly. Replay attacks primarily target Gmail because Google's filtering leans on domain reputation. Detect via Google Postmaster Tools: drops in domain reputation for ESP-signing domains, new bad-reputation IPs, lower encryption rates, and rising delivery errors.

Preventing DKIM replay attacks

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2024/07/Preventing-DKIM-replay-attacks.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fpreventing-dkim-replay-attacks%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Preventing%20DKIM%20replay%20attacks&url=undefined%2Fblog%2Femail-security%2Fpreventing-dkim-replay-attacks%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fpreventing-dkim-replay-attacks%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fpreventing-dkim-replay-attacks%2F&title=Preventing%20DKIM%20replay%20attacks "Share on Reddit") [ ](mailto:?subject=Preventing%20DKIM%20replay%20attacks&body=Check out this article: undefined%2Fblog%2Femail-security%2Fpreventing-dkim-replay-attacks%2F "Share via Email") 

![replay attacks](https://media.mailhop.org/duocircle/images/2024/07/spf-validator-7765.jpg) 

Threat actors bypass DKIM authentication checks with the [DKIM replay attack](/email-security/dkim-replay-attack-a-new-cyberthreat/) technique. This allows them to attain a copy of a valid email and replay it with additional or replaced **From, To, or Subject headers**. As the original DKIM signature is valid, the replayed version also passes the [DKIM authentication](/resources/dkim-validation) checks. This way, even phishing and spoofing emails land in the recipients’ inboxes instead of spam folders.

You can deal with this new [email attack](https://www.darkreading.com/threat-intelligence/20-million-trusted-domains-vulnerable-to-email-hosting-exploits) vector using the **DKIM over-signing method**, which adds an extra layer of security and minimizes the likelihood of a valid signature being exploited for malicious purposes. 

## Understanding DKIM over-signing

_DKIM over-signing is an [email security](/) measure in which specific headers are **signed multiple times** so that no threat actor can alter the content in transit and resend it with new content._ This is done by ensuring that From, To, and Subject remain protected and unmodified in transit. The headers are then verified at several points, establishing email integrity and legitimacy. 

_We suggest domain owners to use **headers like t= and x=** to add a time element that prevents the email from being tagged as valid outside its designated validity period._ You can set the **expiration time** from a few hours to a month, this solely relies on the provider. 

## Breakdown of a DKIM replay attack’s process

These are the stages in a standard [DKIM](/resources/what-is-dkim) replay attack-

### DKIM signature leniency

The domain that signs the outgoing message can **differ from the ‘From’ domain** in the header. So, if an email claims to be from a specific domain in the [‘From’ header](https://proton.me/blog/what-are-email-headers), the DKIM signature can be linked to a different domain.

### Verification

When an email server receives an email with a [DKIM signature](https://support.globalcerts.net/portal/en/kb/articles/dkim-signatures), it checks to ensure the email hasn’t been altered since being sent. If the **signature is valid**, it confirms the email is authentic and untampered with.

### Exploitation

This is the main stage of the replay attack, as the hacker takes over or [hacks into a mailbox](https://gbhackers.com/new-azure-hacking-campaign/), exploiting the **domain’s good reputation** to their advantage. These domains win the trust of recipients’ mailboxes and hence don’t raise suspicion, easily bypassing all email security filters. 

### Sending the initial message

The adversary sends the first email from the exploited domain to a mailbox they control. **This email is harmless**.

### Re-broadcasting

Now, the attacker can **re-send the recorded email** to a different group of recipients, often not intended by the original sender. Since the email retains its DKIM signature from the [high-reputation domain](https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/), email servers are likelier to trust it, believing it’s legitimate and **bypassing authentication filters**.

[![malicious actors](https://media.mailhop.org/duocircle/images/2024/07/spf-permerror-7765.jpg)](/email-security/preventing-dkim-replay-attacks/attachment/spf-permerror-7765)

## Preventing DKIM replay attacks

### Oversigning headers

_Sign key headers like **Date, Subject, From, To, and CC** to prevent tampering by [malicious actors](https://www.securitymagazine.com/articles/100699-malicious-actors-are-cat-phishing-targets-in-order-to-spread-malware)._

### Setting short expiration times (x=)

**Use short expiration times** to reduce the chance of replay attacks. Due to their higher [vulnerability](/email-security/unpatched-dogwalk-a-new-microsoft-zero-day-vulnerability/), new domains should have even shorter expiration times.

### Employing timestamps (t=) and nonces

To prevent replay attacks, include **timestamps and random numbers** (nonces) in [email headers](/email-hosting/what-is-dkim-and-why-you-should-use-it-to-secure-your-email/) or body, as these values change with each email.

### Rotating DKIM keys periodically

Regularly [rotate DKIM keys](https://o365info.com/rotate-dkim-keys/) and update [DNS records](/data-privacy/dns-record-types-defined-and-explained/) to **limit the risk of key compromise** and replay attacks.

## How do you know if you are being attacked?

_DKIM replay attacks are **primarily targeting Gmail**, likely because [Google’s spam filtering](https://support.google.com/a/answer/2368132) relies heavily on domain reputation._ This makes it an attractive target for manipulation by malicious actors. Other email providers, with less [domain-focused filtering](https://help.brand24.com/en/articles/8529841-domain-filter), may not be as vulnerable to these specific attacks.

[![domain reputation](https://media.mailhop.org/duocircle/images/2024/07/DMARC-report-service-4.jpg)](https://media.mailhop.org/duocircle/images/2024/07/DMARC-report-service-4.jpg)

Detecting an attack can be challenging due to the **subtle signs of abuse**. One effective method is to monitor [Google Postmaster](https://gmail.com/postmaster/) Tools for the following indicators:

- _A **rapid drop in domain reputation** for domains used by an ESP to DKIM sign messages._
- The appearance of new, unrelated [bad reputation IP addresses](https://luxsci.com/blog/how-do-i-fix-the-reputation-of-my-ip-address.html).
- A reduction in [encryption rates](https://kebs.ai/psapedia/what-is-data-encryption-rate/).
- An **increase in delivery errors**.

_The extent of the reputation drop depends on the volume of [replay spam](https://www.securityweek.com/domains-once-owned-by-major-firms-help-millions-of-spam-emails-bypass-security/) being distributed._

## Topics

DKIMemail securityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Email Security 8m  Configuring DKIM to sign mail from your Microsoft 365 domain  Jun 27, 2024 ](/blog/email-security/configuring-dkim-sign-mail-from-your-microsoft-365-domain/)[  Email Security 6m  How to fix “Your DKIM signature is not valid” error  Jun 28, 2024 ](/blog/email-security/fixing-your-dkim-signature-is-not-valid-error/)[  Email Security 6m  How to find a DKIM selector for your domain?  Jul 23, 2024 ](/blog/email-security/how-to-find-a-dkim-selector-for-your-domain/)[  Email Security 3m  Learning to perform SPF delegation for enhanced email delivery  Jul 24, 2024 ](/blog/email-security/learning-to-perform-spf-delegation-for-enhanced-email-delivery/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Preventing DKIM replay attacks","description":"https://media.mailhop.org/duocircle/images/2024/07/Preventing-DKIM-replay-attacks.mp3 Threat actors bypass DKIM authentication checks with the DKIM replay attack technique.","url":"https://www.duocircle.com/blog/email-security/preventing-dkim-replay-attacks/","datePublished":"2024-07-19T15:41:04.000Z","dateModified":"2025-04-22T13:41:15.000Z","dateCreated":"2024-07-19T15:41:04.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/preventing-dkim-replay-attacks/"},"articleSection":"email-security","keywords":"DKIM, email security, Updates","wordCount":665,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/07/spf-validator-7765.jpg","caption":"replay attacks","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"Preventing DKIM replay attacks","item":"https://www.duocircle.com/blog/email-security/preventing-dkim-replay-attacks/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Preventing DKIM replay attacks","item":"https://www.duocircle.com/blog/email-security/preventing-dkim-replay-attacks/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Preventing DKIM replay attacks","description":"https://media.mailhop.org/duocircle/images/2024/07/Preventing-DKIM-replay-attacks.mp3 Threat actors bypass DKIM authentication checks with the DKIM replay attack technique.","url":"https://www.duocircle.com/blog/email-security/preventing-dkim-replay-attacks/","datePublished":"2024-07-19T15:41:04.000Z","dateModified":"2025-04-22T13:41:15.000Z","dateCreated":"2024-07-19T15:41:04.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/preventing-dkim-replay-attacks/"},"articleSection":"email-security","keywords":"DKIM, email security, Updates","wordCount":665,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/07/spf-validator-7765.jpg","caption":"replay attacks","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```