What Is DKIM Replay and How to Avoid It
Learn what DKIM replay is, why valid DKIM signatures can be reused, how it affects domain reputation, and how DMARC helps reduce risk.
Introduction
DKIM replay is an abuse technique where a message that was legitimately signed with DKIM is copied and resent, often at scale, through another sending path. Because the original message was signed by the real domain, the DKIM signature may still validate when the replayed message reaches recipients.
This can create reputation risk for the signing domain. The message may technically pass DKIM, but it may be delivered in a context the domain owner did not intend. DKIM replay is different from a normal DKIM failure: the problem is not that the signature is broken, but that a valid signature is being reused.
Quick answer
DKIM replay happens when an attacker or abusive sender resends a DKIM-signed message without permission. The signature may still pass because the message content and signed headers remain unchanged. Reduce risk with DMARC alignment, careful DKIM signing, controlled third-party senders, expiration limits where supported and reputation monitoring.
DKIM replay
DKIM replay means a valid DKIM-signed email is reused outside its intended sending context.
- Your domain sends a real DKIM-signed email.
- Someone receives or captures that message.
- The message is resent many times through another system.
- The DKIM signature still passes if signed parts of the message remain unchanged.
- Recipients may associate the replayed traffic with your domain.
DKIM replay is possible because DKIM proves that a message was signed by a domain, but DKIM alone does not always prove that every later delivery path was authorized by the domain owner.
Why DKIM can pass
DKIM signs selected headers and body content. If those signed parts are not changed, the signature can remain valid even when the message is resent.
- Signed headers remain unchanged
- Body content is not modified beyond the allowed canonicalization
- The DKIM public key still exists in DNS
- The signature has not expired if an expiration tag is used
- The receiving server can verify the signature
This is why DKIM replay is not the same as DKIM spoofing or DKIM failure.
Replay vs spoofing
DKIM replay
- What happens: a real signed message is copied and resent.
- DKIM result: may pass.
- Main risk: domain reputation damage from reused signed mail.
Spoofing without DKIM
- What happens: someone fakes your domain without a valid signature.
- DKIM result: fails or is missing.
- Main risk: impersonation and phishing.
Normal DKIM failure
- What happens: a legitimate message is changed or misconfigured.
- DKIM result: fails.
- Main risk: authentication failure and deliverability problems.
DMARC helps distinguish authorized aligned mail from suspicious or misaligned traffic.
Why replay matters
DKIM replay matters because it can damage trust in a legitimate domain. If a signed message is replayed at scale, receiving providers may see unusual volume, complaints or spam signals connected to the signing domain.
- Domain reputation damage
- Spam-folder placement
- Abuse complaints
- DMARC report anomalies
- Provider throttling
- Brand trust issues
- Deliverability problems for legitimate mail
A domain can have correct DKIM and still experience reputation problems if valid signatures are abused.
Common scenarios
Forwarded signed messages
A message is forwarded or redistributed while keeping the original DKIM signature.
Mailing list redistribution
A list redistributes messages in ways that preserve or modify DKIM differently.
Third-party platform abuse
A legitimate platform signs messages, but some traffic is misused or copied.
Promotional template replay
A signed marketing message is resent at scale by another sender.
Compromised recipient mailbox
Attackers capture signed messages and reuse them.
Loose signing practices
The signature does not cover enough important headers or has no useful expiration limit.
Why this matters
DKIM replay matters because authentication can look technically valid while the sending behavior is not legitimate. A passing DKIM result does not always mean the delivery was expected, authorized or safe from a reputation perspective.
This is why DKIM should be used together with SPF, DMARC, reputation monitoring and strict control over sending sources.
How to detect replay
DKIM replay is usually detected through patterns, not a single DNS lookup.
- DMARC aggregate reports — look for unusual sources passing DKIM for your domain.
- Sending IPs — identify IPs that are not your normal providers.
- DKIM selector usage — check which selector is signing suspicious traffic.
- Volume anomalies — look for sudden spikes from unexpected sources.
- Complaint patterns — watch spam complaints tied to specific campaigns or signatures.
- Message samples — compare suspicious copies with legitimate signed messages.
- Third-party senders — review which platforms are allowed to sign mail for your domain.
- Reputation signals — monitor blacklist, spam placement and domain reputation.
Detect possible DKIM replay
DKIM replay is usually detected through patterns, not a single DNS lookup.
Common problems
Unexpected DKIM pass from unknown IPs
HighMail from an unfamiliar source passes DKIM for your domain.
Next step: Review DMARC reports and identify which selector and source IP are involved.
Same signed message appears at high volume
HighOne legitimate message may be copied and resent many times.
Next step: Compare headers and body content across samples.
Third-party sender signs too broadly
MediumA platform may be authorized to sign mail but not tightly controlled.
Next step: Review sender permissions, API keys and campaign access.
Old DKIM key still active
MediumAn old selector remains valid and may be used longer than intended.
Next step: Rotate unused selectors and remove stale DNS keys.
No DMARC monitoring
HighYou cannot see unusual DKIM-passing sources.
Next step: Add DMARC aggregate reporting and review sources.
No DKIM signature expiration
MediumSignatures may remain valid indefinitely if no expiration is used.
Next step: Use signature expiration where supported by your mail platform.
Weak control over templates
MediumReusable signed templates may be copied or redistributed.
Next step: Limit who can export, forward or mass-send signed messages.
Reputation issue despite DKIM pass
MediumDKIM passes but recipients still complain or filter mail.
Next step: Review sending source, volume, content and DMARC alignment.
How to reduce risk
-
Step 1: Enable DMARC reporting
Use aggregate reports to see which sources pass SPF and DKIM for your domain.
-
Step 2: Inventory legitimate senders
List every platform allowed to send and sign mail for the domain.
-
Step 3: Review DKIM selectors
Remove old selectors and rotate keys when needed.
-
Step 4: Limit third-party signing
Only allow trusted systems to sign with your domain.
-
Step 5: Use DMARC alignment
Make sure DKIM aligns with the visible From domain where appropriate.
-
Step 6: Use signature expiration if supported
Shorter signature validity can reduce the useful lifetime of replayed messages.
-
Step 7: Monitor unusual volume
Look for spikes from unknown IPs, selectors or providers.
-
Step 8: Separate mail streams
Use different selectors or subdomains for transactional, marketing and third-party mail.
-
Step 9: Investigate suspicious samples
Compare headers and content to identify whether messages were replayed.
Suspicious pattern:
DKIM: pass
From: example.com
Source IP: not a known sender
Volume: sudden spike
Message body: identical to old campaign
Selector: marketing2026
Checks:
DMARC reports show unknown IP.
SPF does not align.
DKIM aligns and passes.
Complaints increased.
Old selector still active.
Possible action:
Pause related campaign.
Remove stale selector if unused.
Review third-party sender access.
Rotate DKIM key.
Monitor DMARC reports.
This example is illustrative. Real DKIM replay investigation requires message samples, headers, DMARC reports and sender-provider logs.
DKIM and DMARC
DMARC helps because it requires alignment between the authenticated domain and the visible From domain. It also gives domain owners reports about who is sending mail using their domain.
- Unknown DKIM-passing sources
- Unusual IP addresses
- Selector abuse
- Failing SPF with passing DKIM
- Forwarding or redistribution patterns
- Third-party platforms sending unexpectedly
DMARC does not magically prevent every replay, but it gives visibility and policy control that DKIM alone does not provide.
Selector strategy
Selectors help separate different DKIM keys and sending systems.
- Use separate selectors for major providers
- Remove unused selectors
- Rotate keys periodically
- Avoid sharing one selector across unrelated systems
- Document selector ownership
- Monitor selector usage in DMARC reports
- Use subdomains for separate mail streams where needed
Selector separation makes investigation easier when suspicious DKIM-passing traffic appears.
What replay is not
DKIM replay is not the same as every DKIM problem.
- A missing DKIM record
- A broken selector
- A malformed public key
- A normal forwarding issue only
- SPF failure by itself
- DMARC policy missing by itself
- Proof that the domain owner intentionally sent the replayed mail
It is specifically about valid signed mail being reused outside the intended sending context.
Frequently asked questions
What is DKIM replay?
DKIM replay is when a valid DKIM-signed message is copied and resent outside its intended sending path.
Can DKIM pass on replayed mail?
Yes. If the signed parts of the message remain unchanged, DKIM may still validate.
Does DKIM replay mean my DKIM is broken?
Not necessarily. The signature may be working correctly, but the message is being reused.
Can DMARC help with DKIM replay?
Yes. DMARC reporting helps identify unusual sources and alignment patterns.
How do I reduce DKIM replay risk?
Use DMARC monitoring, control third-party senders, rotate unused selectors, separate mail streams and monitor unusual volume.
Should I delete all DKIM selectors?
No. Remove only unused or compromised selectors after confirming which systems need them.
Can SPF stop DKIM replay?
SPF can help identify unauthorized sending paths, but DKIM replay can still pass if DKIM aligns. Use SPF, DKIM and DMARC together.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Blacklist & Reputation guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!