---
title: "What is a DKIM Replay Attack and How to Prevent it? | DMARC Report"
description: "What is a DKIM Replay Attack and How to Prevent it? from DMARC Report explains practical steps for email authentication, domain protection, deliverability."
image: "https://dmarcreport.com/og/blog/what-is-a-dkim-replay-attack-and-how-to-prevent-it.png"
canonical: "https://dmarcreport.com/blog/what-is-a-dkim-replay-attack-and-how-to-prevent-it/"
---

Quick Answer

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail. What is a DKIM Replay Attack and How to Prevent it? /!

Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fwhat-is-a-dkim-replay-attack-and-how-to-prevent-it%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=What%20is%20a%20DKIM%20Replay%20Attack%20and%20How%20to%20Prevent%20it%3F&url=undefined%2Fblog%2Fwhat-is-a-dkim-replay-attack-and-how-to-prevent-it%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fwhat-is-a-dkim-replay-attack-and-how-to-prevent-it%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fwhat-is-a-dkim-replay-attack-and-how-to-prevent-it%2F&title=What%20is%20a%20DKIM%20Replay%20Attack%20and%20How%20to%20Prevent%20it%3F "Share on Reddit") [ ](mailto:?subject=What%20is%20a%20DKIM%20Replay%20Attack%20and%20How%20to%20Prevent%20it%3F&body=Check out this article: undefined%2Fblog%2Fwhat-is-a-dkim-replay-attack-and-how-to-prevent-it%2F "Share via Email") 

![What is a DKIM Replay Attack and How to Prevent it?](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) 

## Try Our Free DKIM Lookup

Auto-discover DKIM selectors for any domain - scan 185 common selectors across all major providers.

[ Discover DKIM Selectors → ](/tools/dkim-lookup/) 

![Dmarc check 5468 150x150](https://media.mailhop.org/dmarcreport/images/2024/04/dmarc-check-5468-150x150.jpg) 

DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail.

> DKIM is the authentication protocol that survives email forwarding, says Brad Slavin, General Manager of DuoCircle. When SPF fails because a forwarder’s IP isn’t in the original record, DKIM alignment is the only path to DMARC pass. That’s why we monitor DKIM alongside SPF in every DMARC Report dashboard.

```
					DMARC Report					

				
```

What is a DKIM Replay Attack and How to Prevent it?

```
					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						
```

Play Episode

```
					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						
```

Pause Episode

```
					</button>
				

					<audio preload="none" class="clip clip-12276">
						<source src="https://media.mailhop.org/dmarcreport/images/2024/04/What-is-a-DKIM-Replay-Attack-and-How-to-Prevent-it.mp3">
					</audio>
						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								
```

Mute/Unmute Episode

```
							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								
```

Rewind 10 Seconds

```
							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								
```

Fast Forward 30 seconds

```
							</button>
						

							<time class="ssp-timer">00:00</time>
							
```

/

```
							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H1M46S">1:46</time>
			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-12276" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-12276" title="Share">Share</button>
										</nav>

						
```

RSS Feed

```
							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-12276" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-12276" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

						Share						
					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/what-is-a-dkim-replay-attack-and-how-to-prevent-it/&t=What is a DKIM Replay Attack and How to Prevent it?" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/what-is-a-dkim-replay-attack-and-how-to-prevent-it/&url=What is a DKIM Replay Attack and How to Prevent it?" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2024/04/What-is-a-DKIM-Replay-Attack-and-How-to-Prevent-it.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

						Link						
					

						<input value="https://dmarcreport.com/blog/podcast/what-is-a-dkim-replay-attack-and-how-to-prevent-it/" class="input-link input-link-12276" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-12276" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
					

						Embed						

					
```

/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-12276” readonly/>

```
					<button class="copy-embed copy-embed-12276" title="Copy Embed Code" aria-label="Copy Embed Code"></button>


```

In 2023, as many as [45.6%](https://www.statista.com/statistics/420400/spam-email-traffic-share-annual/#:~:text=In%202023%2C%20nearly%2045.6%20percent,almost%2049%20percent%20in%202022.) of total emails were identified as spam\*\*. While CISOs and technology enthusiasts are trying their best to ward off these attacks, cybercriminals are not behind in exercising their brain muscles to come up with newer ways of exploitation .

One such relatively recent technique is a DKIM replay attack, where a threat actor exploits a \*\*high-reputation mailbox and generates a legitimate [DKIM](https://dmarcreport.com/what-is-dkim/) signature. The signature is later used against billions of recipients to send spam emails that can pass authentication checks and other security filters. _They may add another header or change the subject and send the emails to random or specific targets_.

Apart from your DKIM signature being used in cyberattacks, your [domain reputation](https://www.namehero.com/blog/domain-reputation-what-it-is-how-to-improve-it/) can also take a toll, as recipients can **block or report**.

Let’s understand this topic better.

## DKIM Replay Attack Definition

_DKIM replay is a cyberattack technique in which an adversary intercepts a legitimate DKIM-signed email and **resends it to a lot of people**_. As the email retains the original sender’s signature, receiving mail servers perceive it as legitimate and validate it as authentic . This is usually used for having [malicious emails bypass security filters](https://www.securityweek.com/domains-once-owned-by-major-firms-help-millions-of-spam-emails-bypass-security/) so that threat actors can [spread malware](https://www.bleepingcomputer.com/news/security/fake-facebook-midjourney-ai-page-promoted-malware-to-12-million-people/) and attempt phishing, spoofing, [social engineering](https://www.knowbe4.com/what-is-social-engineering/), and similar **email-based menaces**.

![How to create dmarc record](https://media.mailhop.org/dmarcreport/images/2024/04/how-to-create-dmarc-record-3689.jpg) 

## How Does DKIM Work?

DKIM is an [email authentication protocol](https://dmarcreport.com/what-is-dmarc/) developed in 2004 and made public in 2007 . It works by adding a digital signature to an email’s header using [public-key cryptography](https://en.wikipedia.org/wiki/Public-key%5Fcryptography). The sending mail server generates this signature, and can be verified by the \*\*receiving mail server using a public key stored in the [DNS (Domain Name System) records](https://www.ibm.com/topics/dns-records) of the sender’s domain.

## How Does a DKIM Replay Attack Unfold?

Here’s a usual flow of a DKIM replay attack-

## DKIM Signature Flexibility

_DKIM lets the domain that signs the email be different from the domain mentioned in the ‘From’ header of the email_. This reflects that even if an email has been sent from a specific domain in the **‘From’ header**, the [DKIM signature](https://dmarcreport.com/blog/secure-your-email-communication-by-achieving-the-highest-authentication-standards-with-dkim-signatures/) is still linked with a different domain.

## DKIM Verification

Upon reception, the receiving [mail server](https://www.activecampaign.com/glossary/mail-server) checks the signature to ensure the email has not been tampered with in transit. If the \*\*signature is validated as authorized, the email passes the check .

## Exploiting Highly Reputed Domains

This is the attacking stage. If an attacker gains [unauthorized access](https://nordvpn.com/blog/unauthorized-access/) to a mailbox linked with a reputed domain, they plan to exploit it through the **DKIM replay technique**. In some cases, they even create a new domain.

## Sending the Initial Email

[Threat actors send an email from the reputed domain](https://www.itnews.com.au/news/salesforce-email-compromised-for-phishing-attacks-598786) to another mailbox under their control. The \*\*first email is actually harmless or even legitimate so that no suspicion is raised.

## Re-Broadcasting

Subsequently, the cybercriminal **re-broadcasts the captured email to other recipients**. As the DKIM signature is preserved from the reputable domain, email servers regard it as authentic.

## How Can Senders Prevent DKIM Replay Attacks?

This is what senders can do on their part to safeguard their domain reputation and brand’s name-

![Dmarc report](https://media.mailhop.org/dmarcreport/images/2024/04/dmarc-report-1308.jpg) 

## Oversigning Email Headers

[Oversigning email headers](https://bird.com/blog/dkim-oversigning-to-help-avoid-replay-attacks) is a practice in which an email sender includes \*\*multiple cryptographic signatures in the headers to provide redundancy and enhance authenticity. This ensures that nobody can change the date, subject, From, To, and CC details of an email.

## Shorter Expiration Times

Using a **shorter expiration time (x=)** reduces the window of opportunity for DKIM replay attacks. _Ensure your new domains have even shorter expiration than the older ones, as they are more likely to get attacked_.

## Timestamps and Nonces

The inclusion of [timestamps and nonces](https://fastercapital.com/content/Timestamps--Nonce-as-a-Timestamp-to-Prevent-Replay-Attacks.html) challenges attackers to resend the same email later on, as the **values no longer remain the same**.

## Rotating DKIM Keys Periodically

Rotate your [DKIM keys](https://dmarcreport.com/blog/the-role-of-dkim-public-and-private-keys-email-security/) at least twice a year. Rotating them \*\*quarterly is even better if your organization’s operational structure and resource capacity allow that. _A regular rotation of keys ensures bad actors don’t get the opportunity to keep using your keys for long if they compromise them_.

You can read more about DKIM key rotation [here](https://dmarcreport.com/blog/dkim-key-rotation-best-practices-for-large-organizations-should-know/).

## How Can Receivers Prevent DKIM Replay Attacks?

The power doesn’t lie in the hands of domain owners only; even receivers can work towards \*\*protecting themselves from being victims of [phishing emails](https://abc7chicago.com/tax-refund-season-scams-phishing-emails/14627799/).

## How Do You Implement Rate Limiting?

Set a limit on the number of emails your mailbox will accept from a \*\*specific sender over a certain time frame. _Rate limiting can be implemented based on various criteria, such as the number of emails sent per hour, per day, or per connection_. It aims to ensure that legitimate senders can efficiently deliver their emails while mitigating the impact of [malicious or abusive activities](https://www.cbc.ca/news/politics/global-affairs-security-breach-1.7099290).

## Educate Email Recipients

Propagate among recipients to imply DKIM so that the legitimacy of incoming emails \*\*can be verified.

## Network Security Measures

Enforce [SPF](https://dmarcreport.com/what-is-spf/), DKIM, and DMARC, and establish [content filtering](https://www.techtarget.com/searchsecurity/definition/content-filtering) rules to block emails with specific keywords, file types, or attachments that can be potentially malicious and are commonly associated with **spam or phishing**.

If you are \*\*seeking a professional to help you with SPF, DKIM, and [DMARC](https://dmarcreport.com/), look no further and [contact us](https://dmarcreport.com/contact/). We are helpful; trust and try us.

## Topics

[ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/) 

![Vishal Lamba](https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg) 

[ Vishal Lamba ](/authors/vishal-lamba/) 

Content Specialist

Content Specialist at DMARC Report. Writes vendor-specific email authentication guides and troubleshooting walkthroughs.

[LinkedIn Profile →](https://www.linkedin.com/in/vishal-lamba/) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Intermediate 8m  Decoding I-Tag DKIM Vulnerability and Its Impact on Email Deliverability and Security  Jun 6, 2024 ](/blog/decoding-i-tag-dkim-vulnerability-and-its-impact-on-email-security/)[  Intermediate 4m  Getting Rid of Common SPF Errors for Email Security and Delivery  Dec 20, 2023 ](/blog/getting-rid-of-common-spf-errors-for-email-security-and-delivery/)[  Intermediate 3m  The Emergence of DKIM: A Cryptography-Based Email Authentication Protocol  Nov 29, 2023 ](/blog/the-emergence-of-dkim-a-cryptography-based-email-authentication-protocol/)[  Intermediate 6m  The Definitive Guide To Configuring SPF and DKIM for Salsa Labs  Jan 12, 2026 ](/blog/how-to-configure-spf-and-dkim-in-salsa-labs/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"What is a DKIM Replay Attack and How to Prevent it?","description":"What is a DKIM Replay Attack and How to Prevent it? from DMARC Report explains practical steps for email authentication, domain protection, deliverability.","url":"https://dmarcreport.com/blog/what-is-a-dkim-replay-attack-and-how-to-prevent-it/","datePublished":"2024-04-10T10:29:27.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2024-04-10T10:29:27.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vishal-lamba/#person","name":"Vishal Lamba","url":"https://dmarcreport.com/authors/vishal-lamba/","jobTitle":"Content Specialist","description":"Vishal Lamba writes DMARC Report's how-to guides and vendor-specific configuration walkthroughs. His work focuses on step-by-step implementation guides for major email platforms (Google Workspace, Microsoft 365, SendGrid, Mimecast, Proofpoint, Brevo, and others), troubleshooting common SPF and DMARC errors, and translating RFC-level specifications into practical deployment procedures for IT administrators.","image":"https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg","knowsAbout":["SPF Vendor Configuration","Email Platform Integrations","SPF Troubleshooting","Technical Documentation","Step-by-Step Guides"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vishal-lamba/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/what-is-a-dkim-replay-attack-and-how-to-prevent-it/"},"articleSection":"intermediate","keywords":"dkim, DMARC, email security, SPF","wordCount":1247,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"What is a DKIM Replay Attack and How to Prevent it?","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://dmarcreport.com/intermediate/"},{"@type":"ListItem","position":4,"name":"What is a DKIM Replay Attack and How to Prevent it?","item":"https://dmarcreport.com/blog/what-is-a-dkim-replay-attack-and-how-to-prevent-it/"}]}
```