Verify gmail sender

Question

I would like to be able to authenticate an email sent to my app by users. For the sake of simplicity, I can live with doing so only for gmail users, as gmail signs all of its outgoing emails using DKIM.

How do I find out gmail's DKIM public key? I tried using http://www.protodave.com/tools/dkim-key-checker/, but I couldn't find gmail's selector name.

And how do I then verify the authenticity of the message? HMAC? Is there some API/service that does that?

Answer 1

I sent a test message from Gmail to another account, then looked at the headers for the DKIM info. I got:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=gmail.com; s=20120113;
    h=mime-version:x-received:date:message-id:subject:from:to
     :content-type; bh=fd9JXP6Ngw+hgcG1EbBo7GpsrIIZzdJb9Q/14o9e5C8=;
    b=sYlJC2oYWzBUOPIo0jtR4iFsIVqUlwo2QRcG1186hg5ai0oO1nisiOJUD+QXjt (snip)

The selector here is "20120113." From a shell prompt, query Google's DNS for the public key associated with that selector:

dig 20120113._domainkey.google.com TXT

This results in:

20120113._domainkey.google.com. 86400 IN TXT    "k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp5kQ31/aZDreQqR9/ikNe00ywRvZBFHod6dja+Xdui4C1y8SVrkUMQQLOO49UA+ROm4evxAru5nGPbSl7WJzyGLl0z8Lt+qjGSa3+qxf4ZhDQ2chLS+2g0Nnzi6coUpF8r" "juvuWHWXnzpvLxE5TQdfgp8yziNWUqCXG/LBbgeGqCIpaQjlaA6GtPbJbh0jl1NcQLqrOmc2Kj2urNJAW+UPehVGzHal3bCtnNz55sajugRps1rO8lYdPamQjLEJhwaEg6/E50m58BVVdK3KHvQzrQBwfvm99mHLALJqkFHnhyKARLQf8tQMy8wVtIwY2vOUwwJxt3e0KcIX6NtnjSSwIDAQAB"

The public key is everything after the p=.

However... that selector looks like it's date based, meaning Google probably rotates it regularly. You can't trust that a selector will always be valid.

Therefore, if you want to reliably verify incoming mail, save yourself the trouble of writing your own verification tool and use OpenDKIM (http://opendkim.org/). Not only will it verify incoming mail, but it will also sign your outgoing mail.