I mentioned in a previous post that DKIM and SPF have known vulnerabilities. The main weakness with DKIM is that you can replay the messages.
By design DKIM signed messages are replay-able meaning that under certain conditions you can send a DKIM signed message from A to B then B can replay the unmodified messages to C (or any number of recipients) and the signature will still validate. This works because DKIM does not sign the return-path message header or concern itself with message delivery at all. After all DKIM was always about content signing.
The potential to exploit replaying DKIM messages was understood and documented since the earliest days of the protocol but was not seen as a major risk. However when some mailbox providers began to associate sender reputation with DKIM signing domains replaying stopped being a feature and became a vulnerability.
Back to our A,B, and C example. Imagine that A has a DKIM signing domain that is considered to have a good reputation. If the attacker B can induce A to send them an email containing content that they control then B can replay that message to C and it will still DKIM validate and carry A’s sending reputation. This is referred to as a DKIM Reply Attack.
Replay attacks are observed in the wild exploiting may different services to leverage the reputation of their DKIM domains. Typically vulnerable services have the following characteristics:
- They are have widespread use (for example video-conferencing or document signing services)
- They offer a free tier or have a trial subscription
- There is minimal validation of new users
- New users can induce the service to send an email with content they control to an address they control
Point 4 above is the main problem because it often describes the normal operation of a service and is the reason why the attack is not easy to defend against.
Replay-ability also means that the original originator and intended recipient of a message can not be accurately determined.