DKIM Oversigning to Help Avoid Replay Attacks
Bird
9 Apr 2022
1 min read
Key Takeaways
DKIM Replay Attacks occur when attackers reuse a previously valid, DKIM-signed email but add or alter headers (like To, From, or Subject) to trick mailbox providers into accepting the message.
DKIM oversigning protects against this by signing extra headers—including sensitive ones—whether or not they’re populated, preventing attackers from injecting forged headers that aren’t covered by the signature.
Bird Cloud now oversigns DKIM headers by default, eliminating a major replay-attack vector for all senders using the platform.
Oversigning ensures mailbox providers can verify that no protected headers were added or manipulated after sending.
This enhancement helps maintain trust with security-sensitive senders and strengthens end-to-end email integrity.
DKIM oversigning is a behind-the-scenes security improvement that requires no action from customers.
It complements other authentication layers such as SPF, DMARC, and TLS to create a more resilient email security posture.
Replay attacks are particularly problematic for reputable ESPs because attackers exploit their good sending reputation—oversigning closes this loophole.
Q&A Highlights
What is a DKIM Replay Attack?
It’s when an attacker takes a legitimate DKIM-signed email and resends (“replays”) it with modified headers in hopes the email still passes DKIM validation.
How does DKIM oversigning help prevent replay attacks?
Oversigning signs added sensitive headers (To, From, Subject), even if empty, so attackers cannot append new versions of those headers without breaking DKIM validation.
Which headers are typically oversigned?
The most sensitive ones: To, From, and Subject—the headers most commonly targeted by attackers.
Why is oversigning necessary if DKIM is already secure?
Standard DKIM only signs the headers you specify; attackers can exploit unsigned headers. Oversigning closes this gap.
Does DKIM oversigning affect email rendering for recipients?
No. It’s a backend security enhancement and doesn’t change how emails appear to end users.
Does oversigning require extra setup from customers?
No. Bird Cloud now applies DKIM oversigning automatically across the platform.
Why are Email Service Providers (ESPs) a common target?
Attackers exploit the strong domain reputation of reputable ESPs so their replayed emails are more likely to land in inboxes.
Can oversigning break email delivery?
No—oversigning is compliant with DKIM standards and mailbox providers fully support it.
Is oversigning compatible with SPF and DMARC?
Yes. It strengthens overall authentication by reducing one DKIM-related weakness.
Does oversigning impact email performance or send speed?
The effect is negligible; the security benefits far outweigh the small additional signing step.
Can attackers still manipulate headers after oversigning?
They can try, but any changes to oversigned headers will cause DKIM validation to fail—stopping the attack.
Why implement oversigning now?
As awareness of replay attacks increases, security-forward senders expect stronger default protections. Oversigning aligns Bird with best-in-class security practices.
Bird Cloud now performs DKIM Oversigning by default to eliminate an attack vector for the billion+ emails our platform enables each day.
DKIM (DomainKeys Identified Mail) is a common email authentication method designed to reduce the opportunities for phishing attacks and email spam. Combined with other common authentication mechanisms, the chances that your sending domains are compromised to perform attacks successfully is greatly reduced. However, increasing awareness around a potential attack vector has caused sending providers to revisit how this functionality is implemented and look for ways to reinforce it.
A DKIM signature is what helps mailbox providers like Gmail and Yahoo detect if an email that you’re sending to your customer has been modified by a bad actor before it reaches your inbox. Authentication mechanisms such as this are why it’s rare to see a phishing email for a bank statement that has a sending domain that is identical to “yourbank.com.”
One common attack vector that attackers will use to get around DKIM verification is known as a DKIM Replay Attack. In a DKIM Replay Attack an attacker will take a copy of a valid email, often sent through a reputable Email Service Provider such as SparkPost, and try to “replay” those emails but with additional From, To, or Subject headers in the email. Since the original DKIM signature was valid (but did not include the additional headers), the attackers hope that this forged email will also pass DKIM validation, ultimately landing the spam or phishing message into the recipient’s inbox.
“DKIM Oversigning” is an extra security measure that can be taken to reduce the chance that a valid DKIM signature can be leveraged for malicious purposes. It works by “oversigning” sensitive headers (To, From, and Subject), even if they are left blank. It’s akin to filling out every phone number box (cell, home, work) on an important form, even if you’re just using one phone.
Bird is already oversigning the DKIM headers on our platform to reduce this attack vector. It’s one of the small pieces of the puzzle required for our service to be trusted and relied on by many of the world’s security-conscious senders.
