Bypassing DKIM: Understanding replay attacks and how to mitigate them

Threat actors always try to stay ahead of the curve and find ways to bypass security protocols. DKIM replay attacks are exactly that. In a DKIM replay attack, a cybercriminal resends a DKIM-signed message to multiple recipients without the emails getting flagged. They generally target highly reputed domains to generate legitimate message signatures. Gmail recipients, in particular, are more likely to receive replayed emails because it greatly prioritizes domain reputation. 

This blog explores how DKIM replay attacks are attempted and how you can mitigate them.

What is a DKIM replay attack?

In a DKIM replay cyberattack, a malicious actor intercepts a legitimate email that was originally signed and sealed using DKIM. Then, they resend or ‘replay’ the same email with some alterations, which passes DKIM checks and tricks recipients into believing that it’s a safe message. 

When the recipient’s mail server receives this kind of email, it finds no discrepancies, as the original DKIM signature remains unchanged and valid. That’s exactly how many malicious emails end up in inboxes. Adversaries exploit intercepted keys, allowing them to add a new header or tweak subject lines according to their intentions. The keys are usually intercepted using man-in-the-middle attack techniques.

How does a DKIM replay attack work?

A DKIM replay attack is a four-step process.

DKIM signature flexibility

DKIM authentication doesn’t require the signing domain and the domain in the ‘From’ header to be the same. This allows threat actors to send emails from different domains without getting flagged.

DKIM verification

When email servers receive emails, they check the DKIM signature to verify if the email content was altered in transit. If the signature is validated as authorized, the email passes the checks.

Targeting domains with a high reputation

Cybercriminals gain access to reputed domains and then plan the attack by replaying the captured emails hundreds and thousands of times. They may even create a new domain.

Sending the first email

After gaining access to or establishing a reputable domain, the adversary sends emails from the compromised domain to another mailbox they control. The initial email is typically legitimate and harmless, ensuring it does not arouse any suspicion.

Rebroadcasting

Lastly, attackers use the captured email and re-broadcast the same message to different recipients. Since the email has a valid DKIM signature, receiving mail servers place them in the inboxes. 

Preventing DKIM replay attacks

Here’s what email senders can do to prevent DKIM replay attacks-

1. Over-sign headers so that Date, Subject, From, To, and CC can’t be modified. 
2. Set short expiration times (x=) to reduce the window of opportunity for replay attacks.
3. Include timestamps and nonces (random numbers) so that it becomes challenging for threat actors to resend the same email after some time because the values would get changed.
4. Rotate your DKIM keys regularly so that cyber actors can’t exploit them for too long, even if they are compromised. 

Here’s what recipients can do to prevent being victims of DKIM replay attacks-

1. Implement a rate limit on incoming emails so that attackers don’t overload your mailboxes.
2. Practice network security measures to detect and block traffic from IP addresses and sources involved in malicious activities.

Managing email authentication protocols requires constant effort. You must evaluate insights offered by DMARC aggregate and forensic reports that help you know if SPF, DKIM, and DMARC records require some adjustments. This isn’t as easy as it sounds and demands technical expertise. So, if you are looking for someone to give your email authentication worries to, then contact DuoCircle. We take care of everything— right from implementation to evaluation to adjustments.