Wednesday, November 29, 2006

Google Using Domain Key Signatures

I just received an email message from Google (since I signed up for Google Base yesterday) and noticed it was signed with a DomainKey-Signature header entry.

DomainKey-Status: good (test mode)
Received: from zps36.corp.google.com (zps36.corp.google.com
[172.25.146.36])
by smtp-out.google.com with ESMTP id kAT49pg2026142
for ; Tue, 28 Nov 2006 20:09:52 -0800
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com;
c=nofws; q=dns;
h=received:to:from:subject:x-mailer:message-id:date;
b=TP7wvOxr2uytSzFXTNxFV3qDCWXlmhYZHx189gsyc/q2VtyAE4e
NBSPLE4PgveOe37/IE/11kQXrGNexE8G6ig==


In the “extended header” it said:

Sent by: google.com
Signed by: google.com

The “test mode” designation is interesting, too.

Well, looking further at Wikipedia, Google has been using Domain Keys since 2005 and actually went live with them shortly before Yahoo (who developed the concept).

Cool, so here's show you look up the public key to verify (the above) message. The s=beta is the selector. You prepend that to the _domain subdomain, and that to the sending domain d=google.com.


nslookup
> set query=any
> beta._domainkey.google.com
...

Non-authoritative answer:
beta._domainkey.google.com text = "g=\; k=rsa\; t=y\;
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMs93oc95ObA7OEQEbqjIy6YvR
j1u3yVGTzQ3wkwRQTWx1fhvNQenPNFklaL+Tw9XFYUc3f8eY0hs3WUNQ+t+I0
CAwEAAQ=="

Here's a nice slide show from Eric Allman.