# Email Deliverability Fix -- rateright.com.au

Last checked: 2026-03-14

---

## TL;DR -- What's Wrong

We found **three problems** that explain the YHA Sydney Central bounce and likely other silent failures:

1. **The VPS IP (134.199.153.159) is NOT in the SPF record.** Emails sent directly from the VPS fail SPF checks.
2. **No reverse DNS (PTR record) on the VPS IP.** Major red flag for every spam filter.
3. **DMARC policy is `p=none`** -- this means receiving servers *can* let failures through, but strict receivers like YHA's mail host will still reject.

The DKIM record for Google Workspace (`google._domainkey`) exists and looks correct. That's the good news.

---

## Current DNS Records (Live Lookup)

### SPF
```
v=spf1 include:dc-aa8e722993._spfm.rateright.com.au ~all
```
Which resolves to:
```
v=spf1 include:_spf.google.com ~all
```

**Problem:** Only Google's mail servers are authorised. The VPS at `134.199.153.159` is not listed. Any email sent from that IP fails SPF.

### DKIM
```
google._domainkey.rateright.com.au = valid RSA key (2048-bit)
```
This is set up correctly for Google Workspace.

**Problem:** If the VPS sends email directly (not through Google), it can't DKIM-sign with this key unless it has the private key. It almost certainly doesn't.

### DMARC
```
v=DMARC1; p=none;
```

**Problem:** No `rua` reporting address. No `ruf` forensic address. Policy is `none` (monitor only) but without reporting you're monitoring nothing. Also, once you fix SPF/DKIM, you should tighten this to `quarantine` then `reject`.

### MX Records
```
1   aspmx.l.google.com
5   alt1.aspmx.l.google.com
5   alt2.aspmx.l.google.com
10  alt3.aspmx.l.google.com
10  alt4.aspmx.l.google.com
```
These are correct for Google Workspace.

### A Record
```
rateright.com.au -> 134.199.153.159
```

### Reverse DNS (PTR)
```
134.199.153.159 -> NO PTR RECORD
```
**Critical problem.** Most mail servers reject or spam-folder mail from IPs with no reverse DNS.

---

## How Email Authentication Works (Quick Version)

**SPF** -- "Which servers are allowed to send email for this domain?"
The receiving server checks if the sending IP is listed in the SPF DNS record. If not, SPF fails.

**DKIM** -- "Was this email tampered with in transit?"
The sending server signs the email with a private key. The receiving server checks the signature against the public key in DNS.

**DMARC** -- "What should I do if SPF and DKIM both fail?"
It ties SPF and DKIM together. If BOTH fail, the DMARC policy tells the receiver to `none` (do nothing), `quarantine` (spam folder), or `reject` (bounce).

**Key point:** DMARC passes if EITHER SPF or DKIM passes AND aligns with the From domain. But best practice is having both pass.

---

## The Fix -- Two Paths

### Path A: Send All Email Through Google Workspace (Recommended)

This is simpler and more reliable. The VPS should NOT send email directly.

**Step 1: Configure the VPS to relay through Google SMTP**

On the VPS, set the outreach script to use Google's SMTP relay:
```
SMTP Host: smtp-relay.gmail.com
Port: 587 (STARTTLS) or 465 (SSL)
Auth: Google Workspace account credentials or App Password
```

OR use the standard Gmail SMTP:
```
SMTP Host: smtp.gmail.com
Port: 587
Auth: rocky@rateright.com.au + App Password
```

To create an App Password:
1. Go to myaccount.google.com
2. Security > 2-Step Verification (must be ON)
3. App passwords > Generate
4. Use this 16-char password in the VPS mail config

**Step 2: Update the outreach script**

Whatever sends the emails (Python, Node, etc.) should use SMTP with the above credentials instead of `sendmail` or direct socket connections.

**Step 3: Verify SPF passes**

With this path, Google's servers send the email, and Google is already in the SPF record. No DNS changes needed for SPF.

**Step 4: Fix the DMARC record**

Update `_dmarc.rateright.com.au` TXT record to:
```
v=DMARC1; p=none; rua=mailto:dmarc-reports@rateright.com.au; ruf=mailto:dmarc-reports@rateright.com.au; adkim=r; aspf=r;
```

Create that mailbox or alias in Google Workspace first. After 2-4 weeks of clean reports, tighten to:
```
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@rateright.com.au; pct=100; adkim=r; aspf=r;
```

**Step 5: Set up PTR record anyway**

Even if the VPS isn't sending email, a PTR record is good hygiene. Contact the VPS provider (looks like DigitalOcean or similar based on the IP range) and set the PTR for `134.199.153.159` to `rateright.com.au`.

---

### Path B: Send Directly From the VPS (Harder, Not Recommended)

Only do this if there's a specific reason you can't relay through Google.

**Step 1: Add the VPS IP to SPF**

Update the root SPF TXT record to:
```
v=spf1 ip4:134.199.153.159 include:dc-aa8e722993._spfm.rateright.com.au ~all
```

**Step 2: Set up DKIM on the VPS**

Install OpenDKIM on the VPS:
```bash
sudo apt install opendkim opendkim-tools
```

Generate a key pair:
```bash
sudo opendkim-genkey -s vps -d rateright.com.au -b 2048
```

This creates `vps.txt` (public key for DNS) and `vps.private` (signing key).

Add the DNS TXT record:
```
vps._domainkey.rateright.com.au -> contents of vps.txt
```

Configure OpenDKIM to sign outbound mail with this key.

**Step 3: Set up PTR record**

Contact VPS provider. Set PTR for `134.199.153.159` to `mail.rateright.com.au` or `rateright.com.au`.

Add a matching A record:
```
mail.rateright.com.au -> 134.199.153.159
```

**Step 4: Configure the mail server**

Install and configure Postfix (or similar):
```bash
sudo apt install postfix
```
Set hostname to `mail.rateright.com.au`. Configure TLS. Integrate with OpenDKIM.

**Step 5: Update DMARC**

Same as Path A, Step 4.

---

## How to Verify the Fix

### Quick Checks (Do These First)

**Send a test email to mail-tester.com:**
1. Go to https://www.mail-tester.com
2. Copy the test address shown
3. Send an email from the VPS to that address
4. Check your score (aim for 9/10 or higher)

**Send to a Gmail address:**
1. Send test email from the VPS
2. Open it in Gmail
3. Click the three dots > "Show original"
4. Look for:
   - `SPF: PASS`
   - `DKIM: PASS`
   - `DMARC: PASS`

### DNS Verification Commands

Run these from any terminal:

**Check SPF:**
```bash
nslookup -type=TXT rateright.com.au
```
Verify the VPS IP is included (Path B) or that you're relaying through Google (Path A).

**Check DKIM:**
```bash
nslookup -type=TXT google._domainkey.rateright.com.au
```
Should return the RSA public key.

**Check DMARC:**
```bash
nslookup -type=TXT _dmarc.rateright.com.au
```
Should show the updated policy with `rua` address.

**Check PTR:**
```bash
nslookup 134.199.153.159
```
Should return `rateright.com.au` or `mail.rateright.com.au`.

### Online Tools

- **MXToolbox:** https://mxtoolbox.com/SuperTool.aspx -- enter `rateright.com.au` and check SPF, DKIM, DMARC, blacklists
- **Google Admin Toolbox:** https://toolbox.googleapps.com/apps/checkmx/ -- check MX and mail config
- **DMARC Analyzer:** https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/ -- validate DMARC syntax
- **Blacklist Check:** https://mxtoolbox.com/blacklists.aspx -- enter `134.199.153.159` to check if the VPS IP is blacklisted

---

## Common VPS Email Pitfalls

**Blacklisted IP ranges.**
Many VPS providers have IP ranges that are pre-blacklisted because of past abuse by other customers. Check the IP at mxtoolbox.com/blacklists.aspx. If it's listed, you either need to request delisting or get a new IP.

**Port 25 blocked.**
Some VPS providers block outbound port 25 by default. You may need to open a support ticket to unblock it. This only matters for Path B.

**Rate limiting.**
Google's SMTP relay has sending limits. Free Gmail: 500/day. Google Workspace: 2,000/day. SMTP relay service (paid): up to 10,000/day. Plan your outreach volumes accordingly.

**Warm-up period.**
If you're sending from a new IP or newly configured domain, start slow. Send 10-20 emails/day for the first week, then ramp up gradually. Sudden volume spikes trigger spam filters.

**Soft fail (~all) vs hard fail (-all).**
The current SPF ends with `~all` (soft fail). This means unauthorized IPs get flagged but not outright rejected. Once everything is confirmed working, change to `-all` (hard fail) for stronger protection.

---

## Recommended Action Plan

| Step | Action | Who | Time |
|------|--------|-----|------|
| 1 | Set up PTR record for 134.199.153.159 | VPS provider dashboard | 5 min + propagation |
| 2 | Create App Password in Google Workspace | Rocky or admin | 5 min |
| 3 | Update VPS outreach script to use smtp.gmail.com | Rocky / dev | 30 min |
| 4 | Send test to mail-tester.com, verify 9+ score | Rocky | 10 min |
| 5 | Update DMARC record to add rua reporting | DNS admin (GoDaddy) | 5 min |
| 6 | Re-send test to YHA Sydney Central | Rocky | 5 min |
| 7 | Monitor DMARC reports for 2 weeks | Ops | ongoing |
| 8 | Tighten DMARC to p=quarantine | DNS admin | 5 min |
| 9 | After 2 more clean weeks, move to p=reject | DNS admin | 5 min |

---

## DNS Provider Info

Domain registrar/DNS appears to be **GoDaddy** (nameservers: ns57.domaincontrol.com, ns58.domaincontrol.com).

To edit DNS records:
1. Log in to GoDaddy
2. My Products > rateright.com.au > DNS
3. Edit TXT records for SPF, DMARC
4. Add new TXT records for DKIM if needed

DNS changes typically propagate within 1-4 hours, but can take up to 48 hours.

---

## What "COO Fixed DMARC" Likely Means

The DMARC record exists (`v=DMARC1; p=none;`), which means it was probably added recently. Before that, there was no DMARC record at all, which is worse -- some receivers auto-reject domains with no DMARC.

However, `p=none` with no reporting is basically a placeholder. It says "I have DMARC" but doesn't enforce anything or collect data. The fixes above will make it actually functional.

---

## Emergency: If Emails Are Still Bouncing After Fix

1. Check if VPS IP is blacklisted: https://mxtoolbox.com/blacklists.aspx
2. Check Google Workspace sending limits haven't been hit
3. Read the actual bounce message -- it tells you exactly what failed
4. Try sending from a different Google Workspace user
5. If using Path B, check VPS mail logs: `sudo tail -f /var/log/mail.log`
