Summary
DKIM replay attacks are characterized by sudden spikes in email volume (especially from unfamiliar IPs), increased DMARC failure reports, rising bounce rates, and potentially resending legitimate emails with malicious content. Detection is difficult as valid signatures are replayed. Check Google Postmaster Tools for 5-10x normal volume increases. Compromised accounts exhibit unusual sending patterns, unauthorized login locations, password changes, new forwarding rules (particularly external), and changes to account settings. Audit logs should be monitored. Mitigation involves implementing MFA, auditing account activity, using short signature validity, monitoring failed SPF checks, employing geo-filtering, and regularly auditing DKIM records.
Key findings
- Volume Spike & DMARC Failures: A sudden, significant increase in email volume, especially from unfamiliar IPs, coupled with rising DMARC failure reports, suggests a DKIM replay attack.
- Compromised Account Red Flags: Unusual login locations, unauthorized password changes, new forwarding rules (especially to external addresses), and changes in account settings are key indicators of a compromised account.
- DKIM Replay Complexity: DKIM replay attacks are difficult to detect because they utilize valid DKIM signatures, necessitating vigilance regarding sending patterns and authentication results.
- Bounce Rate Surge: A sudden increase in bounce rates, particularly hard bounces, can indicate that a domain is being used for spam via a DKIM replay attack.
- Failed SPF checks: Increase in failed SPF checks with DKIM failures from same sending IP may indicate an attack
Key considerations
- Continuous Monitoring: Constantly monitor email volume, DMARC reports, bounce rates, login activity, and audit logs for unusual patterns and anomalies.
- Robust Security Measures: Implement multi-factor authentication (MFA), enforce strong password policies, regularly audit account activity, and consider geo-filtering to restrict access from suspicious regions.
- Proactive DKIM Management: Regularly audit DKIM records, use short signature validity, and ensure proper DKIM configuration to minimize the window of opportunity for replay attacks.
- Account Setting Scrutiny: Pay close attention to changes in account settings, such as forwarding rules, recovery email addresses, and contact lists, as they can indicate malicious activity.
- Postmaster Tools Utilization: Use tools like Google Postmaster Tools to identify large volume issues
What email marketers say
8 marketer opinions
DKIM replay attacks exhibit symptoms such as a sudden spike in email volume (especially from unfamiliar IPs), increased DMARC failure reports, and a rise in bounce rates. Monitoring email volume, DMARC reports, and bounce rates is crucial. Compromised accounts can be identified through unusual login locations, multiple failed login attempts, password changes the user didn't initiate, unauthorized access to connected apps, and new/changed forwarding rules (especially to external addresses). Implementing MFA, auditing account activity, and geo-filtering are recommended to mitigate risks.
Key opinions
- DKIM Replay Symptoms: Sudden spike in email volume from unfamiliar IPs, increased DMARC failure reports, and rising bounce rates often indicate a DKIM replay attack.
- Compromised Account Signs: Unusual login locations, multiple failed login attempts, unauthorized password changes, and new forwarding rules (particularly to external domains) are key signs of a compromised account.
- SPF/DKIM Failure Increase: Increased SPF check failures, along with DKIM failures from the same sending IP, can signify a DKIM replay attack as attackers use unauthorized servers.
- Malicious Content Injection: DKIM replay attacks can involve resending legitimate emails with malicious content added, leading to reputational damage.
Key considerations
- Monitoring: Continuously monitor email volume, DMARC reports, bounce rates, and login activity to detect anomalies.
- Account Security: Implement multi-factor authentication (MFA), regularly audit account activity, and consider geo-filtering to restrict access from certain regions.
- DKIM Record Audits: Regularly audit DKIM records to ensure they are up-to-date and properly configured.
- Forwarding Rules: Pay close attention to new or changed forwarding rules, especially those forwarding to external addresses, as they can indicate compromised accounts.
Marketer view
Email marketer from Reddit shares that an indicator of DKIM Replay Attacks is typically an increase in failed SPF checks in combination with DKIM failures from the same sending IP. This is due to the attacker replaying the message from a server they control which is not authorized to send on your behalf.
12 Jan 2022 - Reddit
Marketer view
Email marketer from Email Marketing Forum explains that a sudden spike in bounce rates, especially hard bounces, can indicate that your domain is being used to send spam via a DKIM replay attack. Monitor bounce rates alongside DMARC reports.
23 Mar 2023 - Email Marketing Forum
What the experts say
4 expert opinions
DKIM replay attacks are difficult to detect as attackers reuse valid signatures. Symptoms to watch for include a huge (5-10x normal) increase in email volume visible in Google Postmaster Tools. Double-signing customer mail might be a factor when investigating DMARC report increases. Consider the possibility of compromised accounts as a cause and pay attention to changes in sending patterns, such as unusual recipients.
Key opinions
- Volume Spike: A significant increase (5-10x) in email volume within Google Postmaster Tools is indicative of a DKIM replay attack.
- Double Signing: Double signing practices might contribute to DMARC reporting issues and should be investigated when troubleshooting.
- Compromised Accounts: Compromised accounts should always be considered as a potential cause of unusual sending activity.
- Difficult Detection: DKIM replay attacks can be challenging to identify due to the reuse of valid signatures.
- Change in Patterns: A change in sending patterns, such as a sudden increase in email volume or emails being sent to recipients who don't normally receive emails from you.
Key considerations
- Google Postmaster Tools: Utilize Google Postmaster Tools to monitor email volume for abnormal spikes.
- Account Security: Implement security measures to prevent and detect compromised accounts.
- Sending Pattern Analysis: Regularly analyze sending patterns to identify any deviations from normal activity.
- Double Signing Impact: Evaluate the impact of double signing practices on DMARC compliance.
Expert view
Expert from Email Geeks explains that the described situation doesn't sound like a DKIM replay attack. Typically, a DKIM replay attack would show a huge increase in volume for that DKIM domain in Google Postmaster Tools, like 5 or even 10x normal.
15 Feb 2023 - Email Geeks
Expert view
Expert from Email Geeks asks if the customer's mail that is seeing an increase in DMARC reports is being double signed.
11 Apr 2023 - Email Geeks
What the documentation says
3 technical articles
Compromised accounts exhibit unusual email sending patterns (large volumes, unfamiliar recipients) and altered settings (forwarding rules, recovery emails). Audit logs should be monitored for suspicious activity like password changes or sign-in locations. The DKIM standard (RFC 6376) acknowledges replay attacks as a risk and suggests countermeasures like short signature validity and time stamping to mitigate potential harm.
Key findings
- Unusual Email Patterns: Sending large volumes of emails or contacting unfamiliar recipients suggests suspicious account activity.
- Setting Alterations: Changes to forwarding rules, recovery email addresses, and passwords are red flags indicating potential account compromise.
- Audit Log Importance: Regularly checking audit logs reveals suspicious activity such as unusual sign-in locations and file access.
- DKIM Replay Risk: The DKIM standard (RFC 6376) recognizes the possibility of replay attacks and suggests mitigation techniques.
- Signature Validity: Employing short signature validity and time stamping can help minimize the impact of DKIM replay attacks.
Key considerations
- Account Monitoring: Implement systems to detect and alert on unusual email sending behavior.
- Log Analysis: Establish a process for regularly reviewing and analyzing audit logs for suspicious activity.
- DKIM Configuration: Configure DKIM with short signature validity and time stamping to reduce the window of opportunity for replay attacks.
- RFC Compliance: Implement DKIM with consideration for the RFC 6376 recommendations regarding replay attack mitigation.
Technical article
Documentation from RFC Editor (RFC 6376) explains that although the standard does not directly prevent replay attacks it highlights the need for implementations to consider the possibility of replay and to implement appropriate countermeasures to mitigate risks where necessary. This can be achieved through short signature validity and time stamping.
29 Aug 2024 - RFC Editor
Technical article
Documentation from Microsoft recommends checking audit logs for unusual activity such as password changes, email forwarding rules being added, or unusual sign-in locations. Also, look for unusual email sending patterns or file access activity.
18 Oct 2021 - Microsoft
How can I use DMARC to prevent spammers from using my domain?
How do I handle spoofing when DMARC reject is set but not enforced on inbound mail server?
How do I troubleshoot DMARC failures and potential DKIM replay attacks affecting email deliverability?
How does DMARC impact email deliverability, and what are the pros and cons of using it?
How to identify and handle email forging and replay attacks?
What are SPF, DKIM, and DMARC, and when are they needed?
