> There is still a replay possibility with DKIM even if limited to replaying the exact same message (unless providers or email clients track already seen messages until DKIM expiration, which could happen but I don't think is happening at this point).
IIRC Gmail deduplicates based on Message-ID. But even if you replay an identical message... the date would still land it next to the original. So worst case you have two copies of the same thing next to each other. Which can (and already does!) happen occasionally when a server resends a message for whatever reason. It's hardly an issue.
Thanks! And good that Google at least likely deals with it ok. Just as a general thing it is a good idea to be very careful about replay possibilities and I think you are a bit too casually dismissive. Not every provider stores email forever (although storing just the DKIM signature could be done without too much trouble) and there are circumstances where receiving the same message as previously to a cleared inbox might not be an obvious duplicate if you don't happen to look at the date (which is not something I usually do when looking at email). Of course, this is already a potential issue today.
> There is still a replay possibility with DKIM even if limited to replaying the exact same message (unless providers or email clients track already seen messages until DKIM expiration, which could happen but I don't think is happening at this point).
IIRC Gmail deduplicates based on Message-ID. But even if you replay an identical message... the date would still land it next to the original. So worst case you have two copies of the same thing next to each other. Which can (and already does!) happen occasionally when a server resends a message for whatever reason. It's hardly an issue.