Apr 9, 2022

DKIM Oversigning to Help Avoid Replay Attacks

DKIM Oversigning to Help Avoid Replay Attacks

DKIM Oversigning to Help Avoid Replay Attacks

SparkPost Cloud now performs DKIM Oversigning by default to eliminate an attack vector for the billion+ emails our platform enables each day. 

DKIM (DomainKeys Identified Mail) is a common email authentication method designed to reduce the opportunities for phishing attacks and email spam. Combined with other common authentication mechanisms, the chances that your sending domains are compromised to perform attacks successfully is greatly reduced. However, increasing awareness around a potential attack vector has caused sending providers to revisit how this functionality is implemented and look for ways to reinforce it. 

A DKIM signature is what helps mailbox providers like Gmail and Yahoo detect if an email that you’re sending to your customer has been modified by a bad actor before it reaches your inbox. Authentication mechanisms such as this are why it’s rare to see a phishing email for a bank statement that has a sending domain that is identical to “” 

One common attack vector that attackers will use to get around DKIM verification is known as a DKIM Replay Attack.  In a DKIM Replay Attack an attacker will take a copy of a valid email, often sent through a reputable Email Service Provider such as SparkPost, and try to “replay” those emails but with additional From, To, or Subject headers in the email. Since the original DKIM signature was valid (but did not include the additional headers), the attackers hope that this forged email will also pass DKIM validation, ultimately landing the spam or phishing message into the recipient’s inbox.

“DKIM Oversigning” is an extra security measure that can be taken to reduce the chance that a valid DKIM signature can be leveraged for malicious purposes. It works by “oversigning” sensitive headers (To, From, and Subject), even if they are left blank. It’s akin to filling out every phone number box (cell, home, work) on an important form, even if you’re just using one phone.  

SparkPost is already oversigning the DKIM headers on our platform to reduce this attack vector. It’s one of the small pieces of the puzzle required for our service to be trusted and relied on by many of the world’s security-conscious senders.