A breakdown of a DKIM replay attack
On 1 December 2021, we began receiving sporadic reports of delivery failures from protonmail.com addresses to Gmail. This corresponded with a dramatic decline in protonmail.com’s domain reputation as seen via Gmail Postmaster Tools and an increase in sending from known bad IP addresses.
It was clear both from the bad sending IPs (mostly in Russia) and our own metrics that the spam emails damaging ProtonMail’s domain reputation were not coming from our servers. However, the Postmaster Tools indicated that all emails being received by Gmail from protonmail.com were “fully authenticated”, including the fraudulent ones.
This, in turn, caused the fraudulent emails to feed into Google’s algorithm for determining domain reputation and lowered it enough that the deliverability of legitimate emails from our servers was affected as well.
We suspected a DKIM replay attack, where a single spam email originally sent from ProtonMail was being resent to many Gmail users in an attempt to exploit our deliverability and reputation to get around Google’s anti-spam measures. At one point, roughly 98% of the emails Gmail received that claimed to be from ProtonMail were actually spam, meaning the spammers were sending an amount of emails that was equivalent to 50 times our normal outgoing traffic to Google.
