SPF record lookup and validation for: brightstorm.com
SPF records are published in DNS as TXT records.
The TXT records found for your domain are:
v=spf1 include:_spf.google.com include:spf.mandrillapp.com include:datadrivenemail.com include:_hostedspf.discourse.org ~all
DKIM checks out too:
DKIM Record for discourse._domainkey.brightstorm.com
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J
This is a valid DKIM key record
I sent a test email from Admin, Email and indeed, DKIM is unhappy:
spf=pass (google.com: domain of firstname.lastname@example.org designates 2001:470:1:3c2::b as permitted sender) email@example.com;
Received: from localhost.localdomain (tiefighter6.discourse.internal [10.0.0.6])
by tieinterceptor2.discourse.org (Postfix) with ESMTP id 6010DA0005
for <firstname.lastname@example.org>; Tue, 13 Jan 2015 22:09:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=brightstorm.com;
It looks like something is modifying the email between you and us?
Are there any intermediate email services or steps between the mail being sent and it arriving in your mail inbox?
We’ll check on our end as well, but we have other customers getting DKIM and SPF pass using the same paths and certs.
Ah - this is the problem. The DKIM record is syntactically correct but is set up using the wrong key.
The records should look like:
discourse._domainkey.brightstorm.com IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCojtk3fqF69pT6SZcIwoYzjQfdOBTFK7AOyxEGBwHLZ+xqwQQlVgfL6xFZ7FhCYAczkGTCjdChX/qf6dg4LrtXrb+apymj9WpLOwPir6P5Mv9FH3t3BgrQeyyCLhAHqDrUk+kU3B2z1uva3oWw3qN9MLZaX8HjR13w9ywVEgzjpQIDAQAB"
mandrill._domainkey.brightstorm.com IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB"
The reason the signature check is failing is that our signature is trying to be verified against the mandrill public key - that ain’t gonna fly.
For future reference, the result we get from a DKIM check for a hosted domain should be:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCojtk3fqF69pT6SZcI
If you have trouble, please feel to let us know immediately rather than changing configuration as we can help with the diagnosis. For example, I’m about to PM you the email logs from the first few messages you apparently tried sending and they show they were indeed delivered to gmail. If you’re having deliverability problems beyond that we can help ensure SPF and DKIM are correctly setup.