What are the symptoms of a DKIM replay attack and how can a compromised account be identified?

Key findings

• Volume surge: A significant and sudden increase in email volume from a specific DKIM domain, often 5 to 10 times the normal rate, is a strong indicator of a replay attack. This can be observed in tools like Google Postmaster Tools.
• DMARC reports: While a replay attack might bypass DMARC checks if the original signature is valid, you may still see unusual DMARC reports from recipient domains. This could include reports for your customers or domains you are signing for, even if your own DMARC reports show nothing amiss. Consider reviewing DMARC reports carefully.
• IP reputation drop: Reports of poor IP reputation from sending IPs that are not explicitly yours, but are sending on behalf of your domain or your customers' domains, can indicate a compromise or replay activity.
• Unusual content: Phishing or spam content appearing to come from your legitimate domain, even if authentication passes, is a clear sign of an issue.
• Compromised accounts: A DKIM replay attack often stems from a compromised account or system that allows attackers to intercept and resend legitimate emails. Identifying if a client's account has been compromised is a critical first step.

Key considerations

• BCC headers: The BCC header is typically not transmitted to the receiving SMTP server, meaning signing it won't prevent a replay attack. Focus should be on other aspects of the email header and body for protection.
• DKIM rotation: Rotating your DKIM keys can help mitigate ongoing replay attacks by invalidating old signatures, but it doesn't address the root cause of the compromise if one exists.
• DMARC policy: Implementing a strict DMARC policy (p=quarantine or p=reject) can help receiving servers handle emails that fail DMARC, even if they have a valid DKIM signature from a replay.
• Email header analysis: Thoroughly examining email headers for anomalies, such as unexpected ARC-Seal headers or routing paths, can provide clues to a replay attack or compromise.
• User awareness: Educating users to be wary of suspicious emails, even if they appear legitimate, is crucial, as replay attacks often precede phishing attempts.

Key opinions

• Reputation impacts: Marketers frequently notice a sudden drop in their sender reputation, with reports of IPs not belonging to them appearing in bad reputation lists. This is a primary red flag that something is amiss.
• Unexpected DMARC alerts: Receiving DMARC reports from customers or third parties showing high volumes of emails from their domain, without having received their own DMARC reports for the same activity, points to unauthorized sending or a compromise that is difficult to trace.
• Authentication complexity: When using multiple DKIM signatures (e.g., one for the sending domain and one for the client's domain), marketers note the complexity in pinpointing which signature or domain might be exploited in a replay scenario.
• Lack of direct evidence: It can be challenging for marketers to definitively classify an attack as a DKIM replay without deeper technical analysis, as symptoms often overlap with other forms of spoofing or account compromise.

Key considerations

• Client communication: Marketers recognize the importance of direct communication with affected clients to gather more information and collaborate on identifying the source of unauthorized sending.
• Proactive key rotation: Even without definitive proof of a replay attack, rotating DKIM signatures is considered a quick and necessary step to mitigate potential abuse of compromised keys. This can be done as part of general DKIM maintenance.
• Monitoring reputation: Continuous monitoring of IP and domain reputation is vital, especially when unusual sending activity is suspected. This helps identify unauthorized senders more quickly and understand the impact on deliverability.
• Investigating beyond DKIM: While DKIM is the focus, marketers also consider broader account compromise possibilities, checking for unauthorized access to their client's sending platforms or mail servers.

Key opinions

• Volume is key: Experts strongly suggest that a true DKIM replay attack is characterized by an extremely high volume of forged emails, often an order of magnitude greater than normal sending, visible in aggregate reports.
• BCC irrelevance: The BCC header is typically not relevant to DKIM signing or replay attacks, as it's stripped before reaching the receiving SMTP server. Focusing on this header will not resolve a replay issue.
• Distinguishing attacks: Experts differentiate between DKIM replay and other forms of compromise, noting that symptoms like widespread bad IP reputation on unfamiliar IPs, without corresponding high volume on the DKIM domain, might point more towards a compromised account or third-party abuse.
• DMARC report analysis: While DKIM replay emails might pass DKIM, DMARC reports can still provide critical clues if the From domain doesn't align with the DKIM d= domain or the SPF domain.

Key considerations

• Google Postmaster Tools: This tool is a crucial resource for identifying massive volume increases associated with DKIM replay attacks. Its data can help confirm whether a large-scale spoofing event is occurring against a specific DKIM domain. Read our ultimate guide to Google Postmaster Tools V2.
• Account compromise verification: Experts advise verifying if client accounts were indeed compromised, as this often underlies DKIM replay or other spoofing techniques. This involves checking access logs and user activity.
• Double signing: While double signing (your domain's DKIM and your client's DKIM) is a common practice for ESPs, it doesn't inherently prevent replay attacks if one of the underlying keys is compromised.
• Beyond authentication: Even with perfect SPF and DKIM, compromised accounts can still send abusive mail. Experts stress the importance of monitoring content, recipient complaints, and DMARC aggregate reports (RUAs) for anomalies beyond simple authentication passes.

Key findings

• Signature validity: DKIM replay attacks succeed because the intercepted email carries a legitimate DKIM signature, which, when replayed, still appears valid to the receiving server. This can allow phishing emails to bypass checks.
• Header and body integrity: DKIM signs specific headers and a portion of the body. If these elements remain unchanged, the signature will pass. Attackers often reuse emails where these elements are generic or can be recontextualized.
• Lack of expiry: The original DKIM specification (RFC 6376) did not include explicit mechanisms to prevent replay attacks, such as mandatory timestamping or nonces in the signed headers, making it possible for old valid signatures to be replayed.
• DMARC limitations: While DMARC relies on SPF and DKIM alignment, a DKIM replay attack can still pass DMARC if the DKIM d= domain aligns with the From header, making it difficult to detect purely from authentication results.

Key considerations

• Adding nonces/timestamps: To prevent replay attacks, documentation recommends including unique, per-message elements like timestamps (e.g., t= tag) or random numbers (nonces) within the signed portions of the email headers or body. This ensures each legitimate email has a unique signature.
• Header canonicalization: Using a 'relaxed' header canonicalization can make emails more robust to minor modifications but can also inadvertently aid replay attacks by being less sensitive to changes attackers might make.
• DMARC policy enforcement: While DMARC might not directly prevent a perfect DKIM replay, a strong p=reject policy provides the strongest defense against unauthorized sending, regardless of DKIM pass/fail.
• Authentication chain: Relying on a full authentication chain (SPF, DKIM, DMARC) and supplemental signals (like IP reputation, content analysis, and user complaints) is necessary for comprehensive email security, as no single protocol is foolproof against all attack vectors.