Skip to main content

Replay-Resistant DomainKeys Identified Mail (DKIM) Signatures

Document Type Expired Internet-Draft (individual)
Expired & archived
Author Murray Kucherawy
Last updated 2023-07-01 (Latest revision 2022-12-28)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


DomainKeys Identified Mail (DKIM) provides a digital signature mechanism for Internet messages, allowing a domain name owner to affix its domain name in a way that can be cryptographically validated. DKIM signatures protect the integrity of the message header and body only. By design, it decoupled itself from the transport and storage mechanisms used to handle messages. This gives rise to a possible replay attack, which the original DKIM specification acknowledged but did not provide a mitigation strategy. This document presents an optional method for binding a signature to a specific recipient or set of recipients so that broader replay attacks can be mitigated.


Murray Kucherawy

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)