Preventing DKIM replay attacks
Threat actors bypass DKIM authentication checks with the DKIM replay attack technique. This allows them to attain a copy of a valid email and replay it with additional or replaced From, To, or Subject headers. As the original DKIM signature is valid, the replayed version also passes the DKIM authentication checks. This way, even phishing and spoofing emails land in the recipients’ inboxes instead of spam folders.
You can deal with this new email attack vector using the DKIM over-signing method, which adds an extra layer of security and minimizes the likelihood of a valid signature being exploited for malicious purposes.
Understanding DKIM over-signing
DKIM over-signing is an email security measure in which specific headers are signed multiple times so that no threat actor can alter the content in transit and resend it with new content. This is done by ensuring that From, To, and Subject remain protected and unmodified in transit. The headers are then verified at several points, establishing email integrity and legitimacy.
We suggest domain owners to use headers like t= and x= to add a time element that prevents the email from being tagged as valid outside its designated validity period. You can set the expiration time from a few hours to a month—this solely relies on the provider.
Breakdown of a DKIM replay attack’s process
These are the stages in a standard DKIM replay attack-
DKIM signature leniency
The domain that signs the outgoing message can differ from the ‘From’ domain in the header. So, if an email claims to be from a specific domain in the ‘From’ header, the DKIM signature can be linked to a different domain.
Verification
When an email server receives an email with a DKIM signature, it checks to ensure the email hasn’t been altered since being sent. If the signature is valid, it confirms the email is authentic and untampered with.
Exploitation
This is the main stage of the replay attack, as the hacker takes over or hacks into a mailbox, exploiting the domain’s good reputation to their advantage. These domains win the trust of recipients’ mailboxes and hence don’t raise suspicion, easily bypassing all email security filters.
Sending the initial message
The adversary sends the first email from the exploited domain to a mailbox they control. This email is harmless.
Re-broadcasting
Now, the attacker can re-send the recorded email to a different group of recipients, often not intended by the original sender. Since the email retains its DKIM signature from the high-reputation domain, email servers are likelier to trust it, believing it’s legitimate and bypassing authentication filters.
Preventing DKIM replay attacks
Oversigning headers
Sign key headers like Date, Subject, From, To, and CC to prevent tampering by malicious actors.
Setting short expiration times (x=)
Use short expiration times to reduce the chance of replay attacks. Due to their higher vulnerability, new domains should have even shorter expiration times.
Employing timestamps (t=) and nonces
To prevent replay attacks, include timestamps and random numbers (nonces) in email headers or body, as these values change with each email.
Rotating DKIM keys periodically
Regularly rotate DKIM keys and update DNS records to limit the risk of key compromise and replay attacks.
How do you know if you are being attacked?
DKIM replay attacks are primarily targeting Gmail, likely because Google’s spam filtering relies heavily on domain reputation. This makes it an attractive target for manipulation by malicious actors. Other email providers, with less domain-focused filtering, may not be as vulnerable to these specific attacks.
Detecting an attack can be challenging due to the subtle signs of abuse. One effective method is to monitor Google Postmaster Tools for the following indicators:
- A rapid drop in domain reputation for domains used by an ESP to DKIM sign messages.
- The appearance of new, unrelated bad reputation IP addresses.
- A reduction in encryption rates.
- An increase in delivery errors.
The extent of the reputation drop depends on the volume of replay spam being distributed.