It almost seems that replay can be detected just by monitoring the
number of queries against a user key.
Only if you know in advance how many times a message will legitimately
be delivered and can see through the recipients' DNS caches to know
how many times a key was fetched, neither of which seems very likely.
Before we can describe a replay defense, the people who are concerned
about replay need to define what replay means, i.e., what's the
technical difference between a replay and a valid delivery. The
definition can't require knowledge of people's mental states.
R's,
John