Post: tech, email | Nov 21, 2023

DKIM Replay Attacks: A threat to email security

Is someone hijacking your good reputation to send millions of spam or malicious messages? 

Email senders have a new security concern: a protocol intended to provide sender authentication and thwart spam has inadvertently opened a back door that allows spammers to hijack a legitimate sender’s good reputation and send millions of unwanted email messages. 

It’s called a DKIM replay attack, and it uses DomainKeys Identified Mail, an email authentication method that uses a digital signature to tell an inbound email server a message was authorized by the domain owner, to evade spam filters.

During the webinar, Understanding DKIM Replay Attacks: A must for email senders, organized by the Certified Senders Alliance (CSA), email security experts including Fredrik Poller of Halon, Al Iverson of Spam Resource and Sebastian Kluth of the CSA said they expect it to become a serious problem for email senders as authentication efforts shift from IP reputation to domain reputation.

While you might not have heard of DKIM replay attacks, 32% of the webinar’s attendees said they had already been victims. 

What is a DKIM replay attack? 

“Spammers don’t have good reputations, so they hijack someone else’s good reputation by tricking that sender like an ESP, a mailbox provider, or a brand into sending a DKIM-signed email using their good reputation,” Fredrik said. 

A spammer might exploit this by copying an entire email, including its headers with the DKIM signature, and then resend it from their own mailing platform. As a result, the receiving email servers, seeing the intact signature, would identify the message as authentic and allow it to pass through their security checks.

‘Although these messages might fail another protocol called Sender Policy Framework (SPF), that might not prevent many of those spam emails from getting through inbound email spam filters’, said Al Iverson of Spam Resource.

How did it become a problem?

The move to authenticate messages using domain reputation protocols like DMARC (Domain-based Message Authentication Reporting & Conformance) opened the door to these attacks because it essentially “detaches the reputation of the email from the infrastructure” that sends the message, Fredrik said. “If I were to do a replay attack it doesn’t matter if I do it from my servers or from the original servers.”

These kinds of attacks might increase because of changes coming from major mailbox providers such as Gmail and Yahoo! Mail, which require DMARC authentication before accepting email messages. 

“Authentication is divorced from sending infrastructure,” Sebastian said during the webinar. “I can compose an email, sign it with the proper DKIM, and send it to any email server. It is a properly DKIM-authenticated email message that is not linked to any sending service. That is the issue. That is what spammers understand. They are taking a trustworthy email and sending it to their own infrastructure. Then they shut it down after they send millions of emails.”

It's also not easy to detect whether DKIM has been hijacked, but observers might notice that an unusually high number of messages are going out under a single DKIM signature.

 

How can you protect against a DKIM replay attack?

Brands that send millions of messages every day could be candidates for getting abused and having their online reputation damaged. They might not be able to stop malicious senders from trying to hijack their good reputations, but they can make the process more difficult by taking steps such as:

1. Setting an expiration date on DKIM signatures to limit the window where a replay attack can be performed
2. Making sure DKIM has been set up properly on their outbound servers, including oversigning
3. Avoid signing with their own domain when possible - white-label and use the customer's domain
4. Eliminate free bulk email sending as part of ESP demonstrations
5. Ensure that a good routine is in place to rotate DKIM keys when a DKIM replay happens
6. Re-sign any email that soft-bounces before trying to send it again to allow for even shorter expiry times

For more details on DKIM replay attacks, watch the full recording here or read our other blog post about DKIM replay attacks here. If you have any questions, Halon is here to help! Simply contact us and one of our email experts will be in touch.