Suped

What are the symptoms of a DKIM replay attack and how can a compromised account be identified?

8 Marketer opinions4 Expert opinions3 Technical articles4 Resources

Summary

DKIM replay attacks are characterized by sudden spikes in email volume (especially from unfamiliar IPs), increased DMARC failure reports, rising bounce rates, and potentially resending legitimate emails with malicious content. Detection is difficult as valid signatures are replayed. Check Google Postmaster Tools for 5-10x normal volume increases. Compromised accounts exhibit unusual sending patterns, unauthorized login locations, password changes, new forwarding rules (particularly external), and changes to account settings. Audit logs should be monitored. Mitigation involves implementing MFA, auditing account activity, using short signature validity, monitoring failed SPF checks, employing geo-filtering, and regularly auditing DKIM records.

Key findings

  • Volume Spike & DMARC Failures: A sudden, significant increase in email volume, especially from unfamiliar IPs, coupled with rising DMARC failure reports, suggests a DKIM replay attack.
  • Compromised Account Red Flags: Unusual login locations, unauthorized password changes, new forwarding rules (especially to external addresses), and changes in account settings are key indicators of a compromised account.
  • DKIM Replay Complexity: DKIM replay attacks are difficult to detect because they utilize valid DKIM signatures, necessitating vigilance regarding sending patterns and authentication results.
  • Bounce Rate Surge: A sudden increase in bounce rates, particularly hard bounces, can indicate that a domain is being used for spam via a DKIM replay attack.
  • Failed SPF checks: Increase in failed SPF checks with DKIM failures from same sending IP may indicate an attack

Key considerations

  • Continuous Monitoring: Constantly monitor email volume, DMARC reports, bounce rates, login activity, and audit logs for unusual patterns and anomalies.
  • Robust Security Measures: Implement multi-factor authentication (MFA), enforce strong password policies, regularly audit account activity, and consider geo-filtering to restrict access from suspicious regions.
  • Proactive DKIM Management: Regularly audit DKIM records, use short signature validity, and ensure proper DKIM configuration to minimize the window of opportunity for replay attacks.
  • Account Setting Scrutiny: Pay close attention to changes in account settings, such as forwarding rules, recovery email addresses, and contact lists, as they can indicate malicious activity.
  • Postmaster Tools Utilization: Use tools like Google Postmaster Tools to identify large volume issues

What email marketers say
8Marketer opinions

DKIM replay attacks exhibit symptoms such as a sudden spike in email volume (especially from unfamiliar IPs), increased DMARC failure reports, and a rise in bounce rates. Monitoring email volume, DMARC reports, and bounce rates is crucial. Compromised accounts can be identified through unusual login locations, multiple failed login attempts, password changes the user didn't initiate, unauthorized access to connected apps, and new/changed forwarding rules (especially to external addresses). Implementing MFA, auditing account activity, and geo-filtering are recommended to mitigate risks.

Key opinions

  • DKIM Replay Symptoms: Sudden spike in email volume from unfamiliar IPs, increased DMARC failure reports, and rising bounce rates often indicate a DKIM replay attack.
  • Compromised Account Signs: Unusual login locations, multiple failed login attempts, unauthorized password changes, and new forwarding rules (particularly to external domains) are key signs of a compromised account.
  • SPF/DKIM Failure Increase: Increased SPF check failures, along with DKIM failures from the same sending IP, can signify a DKIM replay attack as attackers use unauthorized servers.
  • Malicious Content Injection: DKIM replay attacks can involve resending legitimate emails with malicious content added, leading to reputational damage.

Key considerations

  • Monitoring: Continuously monitor email volume, DMARC reports, bounce rates, and login activity to detect anomalies.
  • Account Security: Implement multi-factor authentication (MFA), regularly audit account activity, and consider geo-filtering to restrict access from certain regions.
  • DKIM Record Audits: Regularly audit DKIM records to ensure they are up-to-date and properly configured.
  • Forwarding Rules: Pay close attention to new or changed forwarding rules, especially those forwarding to external addresses, as they can indicate compromised accounts.
Marketer view

Email marketer from Reddit shares that an indicator of DKIM Replay Attacks is typically an increase in failed SPF checks in combination with DKIM failures from the same sending IP. This is due to the attacker replaying the message from a server they control which is not authorized to send on your behalf.

October 2023 - Reddit
Marketer view

Email marketer from Email Marketing Forum explains that a sudden spike in bounce rates, especially hard bounces, can indicate that your domain is being used to send spam via a DKIM replay attack. Monitor bounce rates alongside DMARC reports.

September 2022 - Email Marketing Forum
Marketer view

Email marketer from Reddit mentions to look for new or changed forwarding rules, especially those forwarding to external addresses, as this is a common sign of a compromised account being used for spam or phishing.

December 2021 - Reddit
Marketer view

Email marketer from Digital Ocean notes that DKIM replay attacks often involve the attacker resending legitimate emails from your domain, but with malicious content added. This can lead to reputational damage and blacklisting. Regularly audit your DKIM records.

March 2024 - Digital Ocean
Marketer view

Email marketer from Word to the Wise shares that DKIM replay attacks often show a sudden spike in email volume, especially from unfamiliar IPs. DMARC failure reports will also increase, indicating authentication issues. He recommends monitoring email volume and DMARC reports closely.

June 2023 - Word to the Wise
Marketer view

Email marketer from Mailhardener explains that a compromised account might exhibit signs like password changes the user didn't initiate, unusual login locations, and unauthorized access to connected apps. They advise setting up multi-factor authentication (MFA) and regularly auditing account activity.

July 2023 - Mailhardener
Marketer view

Email marketer from SparkPost notes that detecting compromised accounts involves monitoring login activity for unusual patterns. This includes logins from unfamiliar locations, multiple failed login attempts, and changes to profile information or password. Implement alerting systems to notify users of suspicious activity.

September 2024 - SparkPost
Marketer view

Email marketer from Reddit suggests monitoring login locations for unusual activity such as logins from countries where the user has never been, as this can indicate a compromised account. Implement geo-filtering to restrict access from certain regions.

January 2025 - Reddit

What the experts say
4Expert opinions

DKIM replay attacks are difficult to detect as attackers reuse valid signatures. Symptoms to watch for include a huge (5-10x normal) increase in email volume visible in Google Postmaster Tools. Double-signing customer mail might be a factor when investigating DMARC report increases. Consider the possibility of compromised accounts as a cause and pay attention to changes in sending patterns, such as unusual recipients.

Key opinions

  • Volume Spike: A significant increase (5-10x) in email volume within Google Postmaster Tools is indicative of a DKIM replay attack.
  • Double Signing: Double signing practices might contribute to DMARC reporting issues and should be investigated when troubleshooting.
  • Compromised Accounts: Compromised accounts should always be considered as a potential cause of unusual sending activity.
  • Difficult Detection: DKIM replay attacks can be challenging to identify due to the reuse of valid signatures.
  • Change in Patterns: A change in sending patterns, such as a sudden increase in email volume or emails being sent to recipients who don't normally receive emails from you.

Key considerations

  • Google Postmaster Tools: Utilize Google Postmaster Tools to monitor email volume for abnormal spikes.
  • Account Security: Implement security measures to prevent and detect compromised accounts.
  • Sending Pattern Analysis: Regularly analyze sending patterns to identify any deviations from normal activity.
  • Double Signing Impact: Evaluate the impact of double signing practices on DMARC compliance.
Expert view

Expert from Email Geeks explains that the described situation doesn't sound like a DKIM replay attack. Typically, a DKIM replay attack would show a huge increase in volume for that DKIM domain in Google Postmaster Tools, like 5 or even 10x normal.

August 2023 - Email Geeks
Expert view

Expert from Email Geeks asks if the customer's mail that is seeing an increase in DMARC reports is being double signed.

April 2023 - Email Geeks
Expert view

Expert from Word to the Wise explains that DKIM replay attacks are difficult to detect because the attacker replays a validly signed email. They suggest paying attention to changes in sending patterns, such as a sudden increase in email volume or emails being sent to recipients who don't normally receive emails from you.

April 2021 - Word to the Wise
Expert view

Expert from Email Geeks suggests the possibility that the client's account was compromised.

July 2022 - Email Geeks

What the documentation says
3Technical articles

Compromised accounts exhibit unusual email sending patterns (large volumes, unfamiliar recipients) and altered settings (forwarding rules, recovery emails). Audit logs should be monitored for suspicious activity like password changes or sign-in locations. The DKIM standard (RFC 6376) acknowledges replay attacks as a risk and suggests countermeasures like short signature validity and time stamping to mitigate potential harm.

Key findings

  • Unusual Email Patterns: Sending large volumes of emails or contacting unfamiliar recipients suggests suspicious account activity.
  • Setting Alterations: Changes to forwarding rules, recovery email addresses, and passwords are red flags indicating potential account compromise.
  • Audit Log Importance: Regularly checking audit logs reveals suspicious activity such as unusual sign-in locations and file access.
  • DKIM Replay Risk: The DKIM standard (RFC 6376) recognizes the possibility of replay attacks and suggests mitigation techniques.
  • Signature Validity: Employing short signature validity and time stamping can help minimize the impact of DKIM replay attacks.

Key considerations

  • Account Monitoring: Implement systems to detect and alert on unusual email sending behavior.
  • Log Analysis: Establish a process for regularly reviewing and analyzing audit logs for suspicious activity.
  • DKIM Configuration: Configure DKIM with short signature validity and time stamping to reduce the window of opportunity for replay attacks.
  • RFC Compliance: Implement DKIM with consideration for the RFC 6376 recommendations regarding replay attack mitigation.
Technical article

Documentation from RFC Editor (RFC 6376) explains that although the standard does not directly prevent replay attacks it highlights the need for implementations to consider the possibility of replay and to implement appropriate countermeasures to mitigate risks where necessary. This can be achieved through short signature validity and time stamping.

November 2021 - RFC Editor
Technical article

Documentation from Microsoft recommends checking audit logs for unusual activity such as password changes, email forwarding rules being added, or unusual sign-in locations. Also, look for unusual email sending patterns or file access activity.

December 2023 - Microsoft
Technical article

Documentation from Google Workspace Admin Help explains that suspicious activity in a user account can include unusual email sending patterns, such as sending a large number of emails or sending emails to recipients the user doesn't normally contact. Also look for changes to account settings, like forwarding rules or recovery email addresses.

December 2023 - Google Workspace Admin Help

Related resources
4Resources

DKIM Replay Attacks | Preventive Measures | Socketlabs
DKIM Replay Attacks | Preventive Measures | Socketlabs

See how bad actors are stealing sender reputation to send spam, and what you can do about it.

SocketLabs
What is a DKIM Replay Attack? - Red Sift Blog
What is a DKIM Replay Attack? - Red Sift Blog

DKIM Replay Attacks pose a concern primarily to email service providers and other entities providing email addresses under a shared domain.

Red Sift Blog
DKIM Replay Attacks - Causes, Prevention And Troubleshooting
DKIM Replay Attacks - Causes, Prevention And Troubleshooting

In a DKIM replay attack an attacker can resend a DKIM-signed message to multiple recipients, taking advantage of the original domain’s reputation.

PowerDMARC
A breakdown of a DKIM replay attack | Proton
A breakdown of a DKIM replay attack | Proton

Bart Butler, our CTO, explains how we resolved a DKIM replay attack and how you can protect your domain from being impersonated.

Proton

Related questions