I would like to be able to authenticate an email sent to my app by users. For the sake of simplicity, I can live with doing so only for gmail users, as gmail signs all of its outgoing emails using DKIM.
How do I find out gmail's DKIM public key? I tried using http://www.protodave.com/tools/dkim-key-checker/, but I couldn't find gmail's selector name.
And how do I then verify the authenticity of the message? HMAC? Is there some API/service that does that?
I sent a test message from Gmail to another account, then looked at the headers for the DKIM info. I got:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:x-received:date:message-id:subject:from:to
:content-type; bh=fd9JXP6Ngw+hgcG1EbBo7GpsrIIZzdJb9Q/14o9e5C8=;
b=sYlJC2oYWzBUOPIo0jtR4iFsIVqUlwo2QRcG1186hg5ai0oO1nisiOJUD+QXjt (snip)
The selector here is "20120113." From a shell prompt, query Google's DNS for the public key associated with that selector:
dig 20120113._domainkey.google.com TXT
This results in:
20120113._domainkey.google.com. 86400 IN TXT "k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp5kQ31/aZDreQqR9/ikNe00ywRvZBFHod6dja+Xdui4C1y8SVrkUMQQLOO49UA+ROm4evxAru5nGPbSl7WJzyGLl0z8Lt+qjGSa3+qxf4ZhDQ2chLS+2g0Nnzi6coUpF8r" "juvuWHWXnzpvLxE5TQdfgp8yziNWUqCXG/LBbgeGqCIpaQjlaA6GtPbJbh0jl1NcQLqrOmc2Kj2urNJAW+UPehVGzHal3bCtnNz55sajugRps1rO8lYdPamQjLEJhwaEg6/E50m58BVVdK3KHvQzrQBwfvm99mHLALJqkFHnhyKARLQf8tQMy8wVtIwY2vOUwwJxt3e0KcIX6NtnjSSwIDAQAB"
The public key is everything after the p=.
However... that selector looks like it's date based, meaning Google probably rotates it regularly. You can't trust that a selector will always be valid.
Therefore, if you want to reliably verify incoming mail, save yourself the trouble of writing your own verification tool and use OpenDKIM (http://opendkim.org/). Not only will it verify incoming mail, but it will also sign your outgoing mail.