Blacklist & Reputation Guides

What Is DKIM Replay and How to Avoid It

Learn what DKIM replay is, why valid DKIM signatures can be reused, how it affects domain reputation, and how DMARC helps reduce risk.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 9 min read Advanced

Introduction

DKIM replay is an abuse technique where a message that was legitimately signed with DKIM is copied and resent, often at scale, through another sending path. Because the original message was signed by the real domain, the DKIM signature may still validate when the replayed message reaches recipients.

This can create reputation risk for the signing domain. The message may technically pass DKIM, but it may be delivered in a context the domain owner did not intend. DKIM replay is different from a normal DKIM failure: the problem is not that the signature is broken, but that a valid signature is being reused.

Quick answer

Quick answer

DKIM replay happens when an attacker or abusive sender resends a DKIM-signed message without permission. The signature may still pass because the message content and signed headers remain unchanged. Reduce risk with DMARC alignment, careful DKIM signing, controlled third-party senders, expiration limits where supported and reputation monitoring.

DKIM replay

DKIM replay means a valid DKIM-signed email is reused outside its intended sending context.

  1. Your domain sends a real DKIM-signed email.
  2. Someone receives or captures that message.
  3. The message is resent many times through another system.
  4. The DKIM signature still passes if signed parts of the message remain unchanged.
  5. Recipients may associate the replayed traffic with your domain.

DKIM replay is possible because DKIM proves that a message was signed by a domain, but DKIM alone does not always prove that every later delivery path was authorized by the domain owner.

Why DKIM can pass

DKIM signs selected headers and body content. If those signed parts are not changed, the signature can remain valid even when the message is resent.

  • Signed headers remain unchanged
  • Body content is not modified beyond the allowed canonicalization
  • The DKIM public key still exists in DNS
  • The signature has not expired if an expiration tag is used
  • The receiving server can verify the signature

This is why DKIM replay is not the same as DKIM spoofing or DKIM failure.

Replay vs spoofing

DKIM replay

  • What happens: a real signed message is copied and resent.
  • DKIM result: may pass.
  • Main risk: domain reputation damage from reused signed mail.

Spoofing without DKIM

  • What happens: someone fakes your domain without a valid signature.
  • DKIM result: fails or is missing.
  • Main risk: impersonation and phishing.

Normal DKIM failure

  • What happens: a legitimate message is changed or misconfigured.
  • DKIM result: fails.
  • Main risk: authentication failure and deliverability problems.

DMARC helps distinguish authorized aligned mail from suspicious or misaligned traffic.

Why replay matters

DKIM replay matters because it can damage trust in a legitimate domain. If a signed message is replayed at scale, receiving providers may see unusual volume, complaints or spam signals connected to the signing domain.

  • Domain reputation damage
  • Spam-folder placement
  • Abuse complaints
  • DMARC report anomalies
  • Provider throttling
  • Brand trust issues
  • Deliverability problems for legitimate mail

A domain can have correct DKIM and still experience reputation problems if valid signatures are abused.

Common scenarios

Forwarded signed messages

A message is forwarded or redistributed while keeping the original DKIM signature.

Mailing list redistribution

A list redistributes messages in ways that preserve or modify DKIM differently.

Third-party platform abuse

A legitimate platform signs messages, but some traffic is misused or copied.

Promotional template replay

A signed marketing message is resent at scale by another sender.

Compromised recipient mailbox

Attackers capture signed messages and reuse them.

Loose signing practices

The signature does not cover enough important headers or has no useful expiration limit.

Why this matters

Why this matters

DKIM replay matters because authentication can look technically valid while the sending behavior is not legitimate. A passing DKIM result does not always mean the delivery was expected, authorized or safe from a reputation perspective.

This is why DKIM should be used together with SPF, DMARC, reputation monitoring and strict control over sending sources.

How to detect replay

DKIM replay is usually detected through patterns, not a single DNS lookup.

  1. DMARC aggregate reports — look for unusual sources passing DKIM for your domain.
  2. Sending IPs — identify IPs that are not your normal providers.
  3. DKIM selector usage — check which selector is signing suspicious traffic.
  4. Volume anomalies — look for sudden spikes from unexpected sources.
  5. Complaint patterns — watch spam complaints tied to specific campaigns or signatures.
  6. Message samples — compare suspicious copies with legitimate signed messages.
  7. Third-party senders — review which platforms are allowed to sign mail for your domain.
  8. Reputation signals — monitor blacklist, spam placement and domain reputation.

Detect possible DKIM replay

DKIM replay is usually detected through patterns, not a single DNS lookup.

Run DKIM Check →

Common problems

Unexpected DKIM pass from unknown IPs

High

Mail from an unfamiliar source passes DKIM for your domain.

Next step: Review DMARC reports and identify which selector and source IP are involved.

Same signed message appears at high volume

High

One legitimate message may be copied and resent many times.

Next step: Compare headers and body content across samples.

Third-party sender signs too broadly

Medium

A platform may be authorized to sign mail but not tightly controlled.

Next step: Review sender permissions, API keys and campaign access.

Old DKIM key still active

Medium

An old selector remains valid and may be used longer than intended.

Next step: Rotate unused selectors and remove stale DNS keys.

No DMARC monitoring

High

You cannot see unusual DKIM-passing sources.

Next step: Add DMARC aggregate reporting and review sources.

No DKIM signature expiration

Medium

Signatures may remain valid indefinitely if no expiration is used.

Next step: Use signature expiration where supported by your mail platform.

Weak control over templates

Medium

Reusable signed templates may be copied or redistributed.

Next step: Limit who can export, forward or mass-send signed messages.

Reputation issue despite DKIM pass

Medium

DKIM passes but recipients still complain or filter mail.

Next step: Review sending source, volume, content and DMARC alignment.

How to reduce risk

  1. Step 1: Enable DMARC reporting

    Use aggregate reports to see which sources pass SPF and DKIM for your domain.

  2. Step 2: Inventory legitimate senders

    List every platform allowed to send and sign mail for the domain.

  3. Step 3: Review DKIM selectors

    Remove old selectors and rotate keys when needed.

  4. Step 4: Limit third-party signing

    Only allow trusted systems to sign with your domain.

  5. Step 5: Use DMARC alignment

    Make sure DKIM aligns with the visible From domain where appropriate.

  6. Step 6: Use signature expiration if supported

    Shorter signature validity can reduce the useful lifetime of replayed messages.

  7. Step 7: Monitor unusual volume

    Look for spikes from unknown IPs, selectors or providers.

  8. Step 8: Separate mail streams

    Use different selectors or subdomains for transactional, marketing and third-party mail.

  9. Step 9: Investigate suspicious samples

    Compare headers and content to identify whether messages were replayed.

DKIM replay investigation example
Suspicious pattern:
DKIM: pass
From: example.com
Source IP: not a known sender
Volume: sudden spike
Message body: identical to old campaign
Selector: marketing2026

Checks:
DMARC reports show unknown IP.
SPF does not align.
DKIM aligns and passes.
Complaints increased.
Old selector still active.

Possible action:
Pause related campaign.
Remove stale selector if unused.
Review third-party sender access.
Rotate DKIM key.
Monitor DMARC reports.

This example is illustrative. Real DKIM replay investigation requires message samples, headers, DMARC reports and sender-provider logs.

DKIM and DMARC

DMARC helps because it requires alignment between the authenticated domain and the visible From domain. It also gives domain owners reports about who is sending mail using their domain.

  • Unknown DKIM-passing sources
  • Unusual IP addresses
  • Selector abuse
  • Failing SPF with passing DKIM
  • Forwarding or redistribution patterns
  • Third-party platforms sending unexpectedly

DMARC does not magically prevent every replay, but it gives visibility and policy control that DKIM alone does not provide.

Selector strategy

Selectors help separate different DKIM keys and sending systems.

  • Use separate selectors for major providers
  • Remove unused selectors
  • Rotate keys periodically
  • Avoid sharing one selector across unrelated systems
  • Document selector ownership
  • Monitor selector usage in DMARC reports
  • Use subdomains for separate mail streams where needed

Selector separation makes investigation easier when suspicious DKIM-passing traffic appears.

What replay is not

DKIM replay is not the same as every DKIM problem.

  • A missing DKIM record
  • A broken selector
  • A malformed public key
  • A normal forwarding issue only
  • SPF failure by itself
  • DMARC policy missing by itself
  • Proof that the domain owner intentionally sent the replayed mail

It is specifically about valid signed mail being reused outside the intended sending context.

Frequently asked questions

What is DKIM replay?

DKIM replay is when a valid DKIM-signed message is copied and resent outside its intended sending path.

Can DKIM pass on replayed mail?

Yes. If the signed parts of the message remain unchanged, DKIM may still validate.

Does DKIM replay mean my DKIM is broken?

Not necessarily. The signature may be working correctly, but the message is being reused.

Can DMARC help with DKIM replay?

Yes. DMARC reporting helps identify unusual sources and alignment patterns.

How do I reduce DKIM replay risk?

Use DMARC monitoring, control third-party senders, rotate unused selectors, separate mail streams and monitor unusual volume.

Should I delete all DKIM selectors?

No. Remove only unused or compromised selectors after confirming which systems need them.

Can SPF stop DKIM replay?

SPF can help identify unauthorized sending paths, but DKIM replay can still pass if DKIM aligns. Use SPF, DKIM and DMARC together.

Use these free tools to verify your configuration after applying changes.

Browse all Blacklist & Reputation guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.