I confirm the SPF and DKIM records were wrong.
ELI5 Please?
Honestly, some of the things you say worry me that if you were ever to fall away from Talossa, resign from office, etc that the next SoS would be royally screwed in trying to deal with the systems you have put in place.
SPF is a field you put in your DNS record* which indicates which computers are allowed to send emails for your domain.
My SPF record for talossa.ca were saying that only the server hosting the talossa.ca website was allowed to send emails, but I was using mandrill to also send emails.
Everyone with an email provider using SPF validation would see the email, check the SPF record and go :"Nah, this is spam. Yes, we trust Mandrill, but talossa.ca is saying to reject Mandrill..."
*A DNS record is a file on a server which is the equivalent of the library card* for a book. In the DNS record, you say where the website is hosted, what it's subdomains are, etc... It's not something you can fully understand as a layperson, but it's what is used to translate the domain names you like to use (like talossa.ca, facebook.com, google.com) into ip addresses like 167.45.21.234 (which is just a random IP I picked).
* Library cards were little cards in big containers describing every book in a library. Typically, if I remember, each book would have 1 card for the title, 1 card for the author, and 1 card for the number. If you wanted a book on Gardening, you would find the Gardening section and read the summary on the books about Garderning. Same if you wanted a book from King, Stephen (author of It, Under the Dome, Dead Zone, and so many other great classics), you would find the section for K in the authors and ruffle until you found all of the index cards for him. You could also find them in the horror section.
DKIM is even more complicated.
Encryption is basically a set of very advanced mathematical functions which use 2 parts: a private part you never give away, and a public part you must somehow give to others.
I can thus send you my public key to let you decrypt a message encrypted with my private key and you can decrypt it, but you couldn't encrypt it perfectly like I did.
In reality, it's a lot more complex than that, but this is a ELI5, not a ELIHAPHD (Explain It like I have a PHD). Furthermore, I do understand it better than I just said, but not that much...
Moving on, encryption isn't just used to encrypt, it can be used to sign too...
Imagine you send me a box everyday with a USB stick, and I sent one to you too. We are afraid someone will copy your style and send me a fake one. You could write on your stick a password for me, like "Buffalo", but if it's the same everyday, others could fake it by seeing just ONE of the packages.
So, you could encrypt the date of sending (which is written on the USB stick) with a secret formula we both understand. I could check if the formula is well used to make sure it is good.
DKIM is a little like that. It allows to put a value in an outgoing email which can be checked with the DNS record to confirm that the email is legit.
If you a DKIM entry in your DNS, all non-signed emails will be marked as spam, as well as all badly signed ones.
If you do not have one (which was the case), all signed emails will be marked as spam since they don't match the [missing] DKIM entry.
Talossa.ca was missing the mandrill DKIM entry, and it's SPF record was excluding Mandrill (and well, everyone else for that matter) from sending.
Those that got the email was just because Mandrill is so good at spotting their clients spamming that people just trust them despite talossa.ca saying the world not to.
This is now fixed.
As for me leaving, I will post a second messages in a few minutes...