DKIM replay attacks weaponize email authentication against users

Email authentication has long been the foundation of secure digital communications. For most users, seeing an email from a trusted domain like Google in their inbox creates an immediate sense of legitimacy. However, a sophisticated attack technique known as DKIM replay is challenging this sense of security by exploiting the very systems designed to protect us.

Learn more: Differences between email encryption, security, and authentication

Understanding DKIM replay attacks

DKIM (DomainKeys Identified Mail) replay attacks represent a particularly insidious form of email spoofing where attackers capture a legitimate email with a valid DKIM signature and retransmit it to new recipients. Since the components of the email remain unmodified, the DKIM signature remains valid, allowing the spoofed message to pass standard email authentication checks.

In a DKIM replay attack, cybercriminals intercept a legitimate, properly signed email and then forward or redistribute it to targeted victims. Because the message retains its original signature and the critical content isn't altered, the email continues to validate properly when it reaches its new, unintended recipients. This technique allows attackers to bypass traditional email security measures and deliver seemingly authentic messages.

This vulnerability stems from a fundamental characteristic of DKIM as described in a paper by IBM Research, the original architects of the protocol: "DKIM defines a mechanism for using digital signatures on email at the domain level, allowing the receiving domain to confirm that mail came from the domain it claims to." While this verification is valuable, DKIM was deliberately designed to authenticate the content and claimed origin of a message, not to prevent legitimate forwarding or redistribution of that message. As the authors explain, the protocol must remain "flexible enough to accommodate legitimate uses of spoofing, such as by mailing lists."

What makes these attacks dangerous is their ability to bypass the security measures designed to prevent email spoofing. When a properly executed DKIM replay attack lands in a user's inbox, it appears completely legitimate, it shows the correct sender domain, passes all authentication checks, and contains no obvious signs of manipulation.

Read more: Securing healthcare email authentication with DKIM

The Google OAuth exploit case study

A recent sophisticated phishing campaign targeting Google users demonstrates how dangerous these attacks can be. Security researcher Nick Johnson documented his experience after receiving what appeared to be an official legal notice from Google:

"This is a valid, signed email - it really was sent from no-reply@google.com," Johnson noted. "It passes the DKIM signature check, and Gmail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts."

The attack email claimed that a subpoena had been issued by law enforcement requesting access to the contents of the recipient's Google Account. The message appeared to come from a legitimate Google no-reply address and contained no typical phishing red flags like typos or suspicious formatting.

What made this attack effective was its exploitation of multiple Google systems:

• Creating a deceptive OAuth app: The attackers registered a Google account and created an OAuth application with a name containing the entire phishing message.
• Generating a legitimate notification: When they granted their OAuth app access to their own Google account, Google automatically sent a security alert email, properly signed with Google's DKIM key.
• Forwarding to victims: The attackers then forwarded this legitimate Google-generated email to their targets. Because DKIM only verifies the message content and headers (not the envelope), the forwarded message passed all authentication checks.
• Hosting credential harvesting on Google Sites: The phishing links in the email directed users to sites.google.com, where attackers created convincing replicas of Google support pages and login screens.

This attack was effective because it leveraged Google's own infrastructure at multiple points, from the initial email notification to the credential harvesting pages hosted on Google Sites.

Technical mechanics of the attack

Security researchers conducted a thorough investigation of the attack and successfully reproduced it. Their technical breakdown reveals the sophisticated infrastructure used:

• Initial setup: The attackers registered domains through a popular domain registrar (with names designed to look like Google infrastructure) and set up email forwarding services.
• Google account creation: They registered a Google Workspace account (free trial) and verified the domain via DNS TXT records.
• OAuth app creation: Next, they created a Google OAuth app and granted access to that account. They included their entire phishing message in the "App Name" field.
• Notification generation: Google automatically sent a security alert about the OAuth access to the email address associated with the account.
• Message forwarding: Using email forwarding services, they set up rules that would deliver the message to victims while appearing to come from no-reply@google.com.

The message traveled through multiple systems before reaching the victims:

• An Outlook account (in some variants)
• A custom SMTP relay service
• Email forwarding infrastructure

Related: What are SMTP relay exploits and smuggling?

Despite this complex route, the email arrived with all security checks passing:

• SPF=pass (via forwarder)
• DKIM=pass (from Google)
• DMARC=pass (based on aligned DKIM)

Go deeper: Implementing DMARC for healthcare email security

Why traditional security measures fail

Standard email security protocols like SPF, DKIM, and DMARC are designed to prevent email spoofing, yet DKIM replay attacks can circumvent these protections.

SPF (Sender Policy Framework) validation breaks down with forwarded emails because the sending IP address changes during forwarding. However, DMARC can still pass if there's a valid DKIM signature aligned with the sender domain, which is exactly what happens in these attacks. The original Google-generated email has a valid DKIM signature that remains intact through the forwarding process.

DKIM was designed to verify that the content of an email hasn't been modified in transit and that it originated from the domain it claims to be from. However, it wasn't designed to prevent legitimate emails from being captured and repurposed in this way.

When these attacks are executed properly, they create a perfect storm for deception:

• They appear to come from legitimate, trusted domains
• They pass all standard authentication checks
• They contain no obvious spelling or grammatical errors
• They match the branding and tone of legitimate communications

Even security-conscious individuals can be deceived by such sophisticated techniques, especially when the attackers create a sense of urgency around legal matters or account security.

The paper from IBM Research also acknowledges that DKIM is not a complete solution by itself: "As with any message authentication system, it is not a 'magic bullet' to solve spam and phishing, but provides useful information about the origin of messages to form a basis for the application of whitelists, reputation, and accreditation of senders' email addresses."

The psychology behind these attacks

DKIM replay attacks don't just exploit technical vulnerabilities, they're designed to exploit human psychology as well. The Google subpoena example demonstrates several psychological tactics that researchers Wang and Lutchkus have identified in their study titled ‘Psychological Tactics of Phishing Emails’.

• Authority exploitation: By impersonating Google and referencing law enforcement, the attackers leverage recognized authorities to increase compliance. Wang and Lutchkus note that "people tend to comply with orders from someone believed to be an authority figure" and "attackers use symbols or logos to make them look like they are coming from an authentic source."
• Fear and urgency: The mention of a legal subpoena creates immediate anxiety and a sense that prompt action is required. According to the study above, "attackers use a time pressure or scarcity tactic to influence the decision making of a target," and "targets may make harmful mistakes because of the pressure or urgent feeling."
• Familiarity and trust: By using Google's actual email infrastructure and branding, the attackers leverage the existing trust relationship between users and Google. According to the principles of influence identified by the researchers, people "most prefer to say yes to the requests of someone we know and like" – a principle that attackers exploit by imitating trusted sources.
• Cognitive overload: The complex legal language and high-stakes situation makes it difficult for recipients to think critically about the message. This aligns with the study’s findings that "messages appeal to specific psychological vulnerabilities, the most successful linking message with human factors."

These psychological factors combine with the technical sophistication to create an extremely effective attack vector that can deceive even technically knowledgeable users. The paper goes on to note, "tactics using psychological manipulation are the most dangerous because they cannot be prevented by technology."

FAQs 

What is email authentication?

Email authentication refers to technical standards (SPF, DKIM, and DMARC) that verify an email's legitimate source. These protocols help mail servers confirm that messages actually come from the domains they claim to be from, rather than being forged by attackers. When properly implemented, these systems allow receiving servers to detect and filter spoofed messages that might contain phishing attempts or malware.

What is email spoofing?

Email spoofing is the forgery of an email sender's address to make a message appear to come from someone other than the actual source. Attackers exploit this technique to impersonate trusted entities like banks, executives, or government agencies.

What are digital signatures?

Digital signatures are cryptographic techniques that authenticate the sender and verify message integrity. Using public-key cryptography, the sender creates a unique signature with their private key that recipients can verify with the corresponding public key. In email security, DKIM uses digital signatures to confirm that messages haven't been altered in transit and truly originate from the claimed domain. 

What is an OAuth application?

An OAuth application is software registered with a service provider (like Google or Microsoft) that can request permission to access user data or perform actions on a user's behalf. Instead of sharing passwords, OAuth uses a secure authorization process where users approve specific access levels.