What are the symptoms of a DKIM replay attack and how can a compromised account be identified?
Michael Ko
Co-founder & CEO, Suped
Published 3 Aug 2025
Updated 16 Aug 2025
7 min read
DKIM replay attacks are a sophisticated form of email impersonation that can bypass traditional authentication checks. In essence, an attacker intercepts a legitimate email that has a valid DomainKeys Identified Mail (DKIM) signature and then reuses (or "replays") it to send malicious messages. Because the original email was properly signed and authenticated, the replayed email can often slip past email filters, appearing to be authentic to the recipient and the receiving mail server.
The danger of a DKIM replay attack lies in its ability to leverage the trust associated with a legitimate sender's domain. When a malicious actor successfully executes such an attack, it can lead to severe consequences, including widespread phishing campaigns, credential theft, and significant damage to a sender's email reputation. Understanding the symptoms of these attacks and how to identify a compromised account is crucial for maintaining email security and deliverability.
Detecting a DKIM replay attack can be challenging because the replayed emails often pass standard authentication checks like DKIM and SPF. However, there are several key indicators that point towards a possible attack. One of the most telling signs is an unexpected surge in email volume originating from your domain, particularly in monitoring tools or DMARC reports. This spike can be disproportionately high, sometimes five to ten times your usual volume, indicating unauthorized use of your domain's sending capabilities.
Another symptom is an increase in complaints from recipients receiving suspicious emails that appear to be from your organization, despite them having valid authentication headers. These emails might contain phishing links, malware, or requests for sensitive information. Pay close attention to the content of these reported emails and compare them against your legitimate campaigns. The attacker usually reuses the entire email or significant parts of its structure.
You might also notice a sudden decline in your sender reputation or an increase in your domain or IP address appearing on email blocklists (or blacklists). Even with valid DKIM, unusual sending patterns or a high volume of complaints can trigger reputation flags with internet service providers (ISPs). This can lead to your legitimate emails landing in spam folders or being rejected outright, impacting your overall email deliverability. For more information, you can read our guide on blocklists.
Furthermore, a lack of DMARC reports (when you typically receive them) despite signs of abuse could indicate that the malicious traffic is successfully bypassing DMARC policies. Conversely, if you suddenly receive DMARC reports from external parties showing a high volume of emails from your domain that you did not send, this is a strong indicator of a replay attack or other forms of spoofing.
Potential red flags
Sudden volume spike: Check your sending logs and DMARC aggregate reports for unusual email volume that you cannot account for.
Recipient complaints: Users reporting suspicious emails that look legitimate and pass authentication.
DMARC report anomalies: Receiving unexpected DMARC reports or a significant change in your own report data, such as a large number of emails from unknown IPs passing DKIM.
Reputation decline: Your domain or IP address appearing on new blocklists (blacklists) or experiencing increased spam filtering.
Aspect
Legitimate email
DKIM replayed email
DKIM signature
Valid and authentic.
Also appears valid due to reuse.
Content
Expected, relevant to sender/recipient.
Often altered for malicious intent, e.g., phishing.
Recipient
Intended target.
Random or targeted recipients not on original list.
Timestamp
Recent, within a reasonable window.
Could be significantly older than current date.
Identifying a compromised account
Often, a DKIM replay attack is a symptom of a deeper issue: a compromised email account. This could be an account belonging to an employee, a customer, or even a service provider that has sending permissions for your domain. Identifying a compromised account involves looking for specific patterns of unauthorized activity that differ from normal user behavior.
One of the primary indicators is unauthorized login attempts or successful logins from unusual locations, IP addresses, or devices. Review your email platform's login logs and audit trails regularly. Many providers, like Microsoft 365, provide detailed activity logs that can help pinpoint suspicious access. Changes to account settings, such as forwarding rules being created or modified, are also strong indicators. Attackers often set up forwarding to exfiltrate data or receive responses to their malicious emails.
Another red flag is the presence of unfamiliar emails in the sent items folder that the legitimate user did not send, or missing emails that were expected. Attackers may delete sent items to cover their tracks or purge incoming emails related to their activities. Complaints from recipients that they are receiving spam from your legitimate email accounts, particularly if these emails are bypassing their spam filters, also suggest compromise. Phishing emails often exploit valid authentication to appear trustworthy.
Monitoring your DMARC reports can also provide insights into compromised accounts. While a replay attack might make some emails pass DKIM, other authentication failures, especially SPF misalignments or failures from unexpected sources, could point to an account sending emails directly from an unauthorized IP without proper authentication.
Compromised account indicators
Unexpected logins: Logins from unfamiliar locations, IP addresses, or devices.
Password changes: Changes to login credentials not initiated by the legitimate user.
Forwarding rules: New or altered email forwarding rules or inbox rules.
Unusual sent items: Emails in the sent folder that the user did not send.
Missing emails: Legitimate incoming or outgoing emails disappearing from the inbox or sent folders.
Normal activity
Login patterns: Consistent logins from familiar IPs and devices.
Email sending: Volume and content align with campaign schedules and user activity.
Account settings: No unexpected changes to forwarding, rules, or delegates.
Compromised account activity
Login patterns: Multiple failed logins, logins from new IPs, or geographic locations.
Email sending: Massive, unexpected email volume, often containing suspicious content.
Account settings: Forwarding to unknown addresses, new inbox rules to hide malicious activity.
Mitigating and preventing attacks
Preventing and mitigating DKIM replay attacks, and by extension, account compromises, requires a multi-layered approach to email security. Regularly rotating your DKIM keys is a fundamental step. When a key is rotated, the old key becomes invalid, meaning any replayed emails signed with that old key will fail DKIM authentication. This disrupts the attacker's ability to reuse previously captured signatures.
Implementing a strong DMARC policy (p=quarantine or p=reject) is also essential. While DKIM replay attacks can sometimes bypass DKIM checks, a robust DMARC policy with proper alignment can still catch suspicious emails. DMARC tells receiving mail servers how to handle emails that fail SPF or DKIM. Without a strict policy, even if a replay attack is detected, the emails might still be delivered. Understanding DMARC, SPF, and DKIM is key.
Beyond technical configurations, user education plays a vital role. Training employees and customers to recognize phishing attempts, even those that appear legitimate due to valid authentication, can significantly reduce the success rate of these attacks. Encourage users to report suspicious emails and to always verify requests for sensitive information through alternative, secure channels. Additionally, implementing multi-factor authentication (MFA) on all email accounts and regularly auditing account access logs adds another layer of security against compromise.
Finally, ensure all critical headers are included in your DKIM signature. While Bcc (Blind Carbon Copy) headers are typically not transmitted to the receiving SMTP server, ensuring other relevant headers are signed makes it harder for attackers to alter the email content without invalidating the signature. For a technical deep dive, you can refer to the IETF DKIM replay problem statement.
Comprehensive header signing: Ensure all relevant email headers are included in your DKIM signature.
Protecting your email ecosystem
Protecting your email ecosystem from DKIM replay attacks and account compromises demands constant vigilance and proactive measures. It's not enough to simply set up email authentication protocols, you need to actively monitor them and be prepared to respond to anomalies. The sophisticated nature of these attacks means that they can often bypass initial defenses, making ongoing surveillance crucial.
By understanding the subtle symptoms of a replay attack and the clear indicators of a compromised account, you can quickly identify and address threats before they severely impact your sender reputation and deliverability. Implementing strong DMARC policies, regularly rotating DKIM keys, and empowering your users with cybersecurity knowledge are essential steps in building a resilient email security posture. This combined approach will significantly reduce your vulnerability to sophisticated email threats.
Views from the trenches
Best practices
Actively monitor DMARC reports for unexpected spikes in legitimate DKIM-passing emails from unusual sources.
Implement strong authentication like multi-factor authentication (MFA) for all email accounts.
Regularly rotate your DKIM keys to invalidate old signatures and prevent their reuse.
Common pitfalls
Assuming a valid DKIM signature guarantees email legitimacy against all attack vectors.
Not having a DMARC policy or setting it to `p=none`, which offers no enforcement.
Failing to review DMARC aggregate and forensic reports for suspicious activity.
Expert tips
A huge increase in volume for a DKIM domain in Google Postmaster Tools, possibly 5 or even 10 times normal, is a strong indicator of a DKIM replay attack.
If you're not receiving DMARC reports despite suspicious activity, investigate your DMARC record to ensure it's correctly configured.
Immediately rotate DKIM signatures if you suspect a replay attack or account compromise to invalidate old keys.
Expert view
Expert from Email Geeks says a significant increase in email volume for a DKIM domain within Google Postmaster Tools, often 5 to 10 times the normal rate, is a clear sign of a DKIM replay attack.
2023-01-17 - Email Geeks
Marketer view
Marketer from Email Geeks says that experiencing bad reputation reports on IPs not belonging to the domain, without receiving DMARC reports, suggests a need for deeper investigation into the attack type.
Microsoft 365, provide detailed activity logs that can help pinpoint suspicious access. Changes to account settings, such as forwarding rules being created or modified, are also strong indicators. Attackers often set up forwarding to exfiltrate data or receive responses to their malicious emails.
