DKIM is a crucial aspect of email authentication that utilizes cryptography in the form of digital signatures to sign messages that are sent from a domain. This in turn ensures that emails originating from an authorized source don’t get altered before reaching their intended recipient, thereby mitigating impersonation threats.
In a DKIM replay attack, an attacker intercepts a legitimate DKIM-signed email message and then resends it to the intended recipient or a different target multiple times without making any changes to the message content or signature. The goal of this attack is to take advantage of the trust established by the DKIM signature to make the recipient believe that they are receiving multiple copies of the same legitimate message.
What is a DKIM Replay Attack?
A DKIM replay attack is a cyberattack where a threat actor intercepts an email that was signed and trusted using DKIM and then resends or “replays” that same email to trick the recipient into thinking it’s a new, trustworthy message, even though it might be altered or harmful.
Before breaking down the anatomy of a DKIM replay attack and discussing mitigation strategies, let’s discuss how DKIM works:
How does DKIM authenticate emails?
DKIM (DomainKeys Identified Mail) is an email authentication method that helps verify the authenticity of email messages and detect email spoofing and phishing attempts. DKIM adds a digital signature to the email message at the sending server, and this signature can be verified by the recipient’s email server to ensure the message hasn’t been tampered with during transit.
DKIM operates by leveraging the following processes:
1. Message Signing: When an email is sent from a domain that uses DKIM, the sending mail server generates a unique cryptographic signature for the message. This signature is based on the email’s content (header and body) and some specific header fields, such as the “From” address and the “Date” field. The signing process typically involves using a private key.
2. Public Key Publication: The sending domain publishes a public DKIM key in its DNS (Domain Name System) records. This public key is used by the recipient’s email server to verify the signature.
3. Message Transmission: The email message, now containing the DKIM signature, is transmitted over the Internet to the recipient’s email server.
4. Verification: When the recipient’s email server receives the email, it retrieves the DKIM signature from the email’s headers and looks up the sender’s public DKIM key in the DNS records of the sender’s domain.
If the signature matches the content of the email, the recipient can be reasonably certain that the email has not been tampered with during transit, and that it genuinely came from the claimed sender’s domain.
5. Pass or Fail: Based on the outcome of the verification process, the recipient’s server can mark the email as DKIM-verified or DKIM-failed.
DKIM helps prevent various email-based attacks, such as phishing and spoofing, by providing a mechanism to verify the authenticity of the sender’s domain.
How do DKIM Replay Attacks Work?
In a DKIM replay attack, malicious individuals can use the leniency of DKIM signatures to deceive email recipients and potentially spread harmful content or scams.
Let’s break down how a DKIM replay attack works, step by step:
DKIM Signature Flexibility
DKIM allows the signature domain (the domain that signs the email) to be different from the domain mentioned in the “From” header of the email. This means that even though an email claims to be from a particular domain in the “From” header, the DKIM signature can be associated with a different domain.
When an email recipient’s server receives an email with a DKIM signature, it checks the signature to ensure that the email hasn’t been altered since it was signed by the domain’s mail servers. If the DKIM signature is valid, it confirms that the email went through the signing domain’s mail servers and hasn’t been tampered with during transit.
Exploiting Highly Reputed Domains
Now, here’s where the attack comes into play. If an attacker manages to take over or hack into a mailbox, or create a mailbox with a domain that is highly reputed (meaning it’s a trusted source in the eyes of email servers), they leverage the domain’s reputation to their advantage.
Sending the Initial Email
The attacker sends a single email from their high-reputation domain to another mailbox they control. This initial email could be harmless or even legitimate to avoid suspicion.
Now, the attacker can use the recorded email to re-broadcast the same message to a different set of recipients, often those who were not originally intended by the legitimate sender. Since the email has its DKIM signature intact from the high-reputation domain, email servers are more likely to trust it, thinking it’s a legitimate message – thereby bypassing authentication filters.
Steps to Prevent DKIM Replay Attacks
DKIM replay attack prevention strategies for email senders:
1. Oversigning Headers
To ensure that key headers like Date, Subject, From, To, and CC cannot be added or modified after signing, consider over-signing them. This safeguard prevents malicious actors from tampering with these critical message components.
2. Setting Short Expiration Times (x=)
Implement as brief an expiration time (x=) as practically possible. This reduces the window of opportunity for replay attacks. Newly created domains must have an even shorter expiration time than older ones as they are more vulnerable to attacks.
3. Employing Timestamps (t=) and Nonces
To further prevent replay attacks, include timestamps and nonces (random numbers) in the email headers or body. This makes it difficult for attackers to resend the same email at a later time because the values would have changed.
4. Rotating DKIM keys Periodically
Rotate DKIM keys regularly and update your DNS records accordingly. This minimizes the exposure of long-lived keys that could be compromised and used in replay attacks.
DKIM replay attack prevention strategies for email receivers:
1. Implementing Rate Limiting
Receivers may implement rate limiting on incoming email messages to prevent attackers from flooding your system with replayed emails. To do so you can set limits on the number of emails accepted from a specific sender within a given timeframe.
2. Educate Email Recipients
Educate your email recipients about the importance of DKIM and encourage them to verify DKIM signatures on incoming emails. This can help reduce the impact of any potential replay attacks on your recipients.
3. Network Security Measures
Implement network security measures to detect and block traffic from known malicious IP addresses and sources that might be involved in replay attacks.
How PowerDMARC helps mitigate DKIM replay attacks
To make DKIM key management easy and effortless for domain owners, we have introduced our comprehensive hosted DKIM solution. We help you monitor your email flows and DKIM signing practices so that you can quickly detect discrepancies, while always staying one step ahead of attackers.
Record optimization on our dashboard is automatic without the need to access your DNS several times for manual updates. Switch to automation with PowerDMARC by making changes to your signatures, handling multiple selectors, and rotating your DKIM keys without the hassle of manual toil. Sign up today to take a free trial!