What causes Gmail DKIM domain rate limiting errors and how are they related to SPF?
Michael Ko
Co-founder & CEO, Suped
Published 24 May 2025
Updated 17 Aug 2025
7 min read
Email deliverability can be a complex challenge, especially when dealing with major mailbox providers like Gmail. One particular issue that can arise is a DKIM domain rate limiting error, often appearing with a code like 421-4.7.28. This can be frustrating because it directly impacts your ability to send emails effectively.
Understanding these errors is crucial for maintaining a healthy sending reputation and ensuring your messages reach the inbox. Many senders focus heavily on SPF and DKIM configurations, but sometimes issues manifest in unexpected ways, such as rate limiting linked to these very authentication standards. We'll explore what causes these specific Gmail DKIM rate limiting errors and how they are often closely tied to SPF, even when the error message explicitly mentions DKIM.
Rate limiting is a mechanism used by email providers to prevent abuse and manage inbound mail traffic. When a sending domain is rate limited, it means Gmail has temporarily reduced the number of emails it will accept from that domain within a certain timeframe. The 421-4.7.28 error specifically points to an unusual rate of unsolicited mail originating from your DKIM domain.
This usually doesn't mean your DKIM setup is inherently broken, but rather that Gmail's spam filters have flagged your sending behavior as suspicious. This could be due to a sudden spike in volume, a high complaint rate, or other factors that suggest your mail might be unsolicited or unwanted by recipients. The mention of the DKIM domain indicates that Gmail is using your DKIM signing domain as the primary identifier to apply this rate limit.
Even with perfect authentication, unexpected sending patterns or poor recipient engagement can trigger these protective measures. It's a clear signal that Gmail is observing something it considers problematic, even if your SPF and DKIM records are technically correct.
Rate limiting indicators
The error message 421-4.7.28 points to an unusual rate of unsolicited mail from your DKIM domain, signaling a temporary restriction.
Impact on deliverability
This can lead to significant delays in email delivery, with some messages being bounced back to the sender or not reaching the inbox at all.
The role of DKIM and SPF in rate limiting
DKIM (DomainKeys Identified Mail) uses a digital signature to verify that an email hasn't been tampered with and truly comes from the claimed sender. SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of your domain. Both are critical for email authentication and crucial for deliverability, especially with Google and Yahoo's new sender guidelines.
While the rate limiting error explicitly mentions DKIM, SPF failures can indirectly contribute to the issue. If your SPF record is misconfigured, or if emails are being forwarded in a way that breaks SPF (a common problem), Gmail might perceive your messages as less trustworthy. This reduced trust can lead to a higher spam score, even if your DKIM signature is valid.
It's a subtle but important relationship. DKIM and SPF work together to build your domain's sending reputation. If one of them is consistently failing, it can negatively impact the overall perception of your email stream, making your DKIM-signed mail appear more suspicious in the eyes of Gmail's algorithms, triggering rate limits.
How DKIM and SPF relate to rate limiting
SPF failures: Can degrade your sender reputation, making even DKIM-authenticated emails seem less trustworthy to Gmail.
Authentication standards: Gmail prioritizes domains with properly configured SPF, DKIM, and DMARC records.
Interconnectedness: Issues with SPF can indirectly lead to DKIM domain-based rate limits due to overall trust erosion.
Common causes of DKIM and SPF issues
Multiple factors can contribute to DKIM domain rate limiting, often beyond just the DKIM record itself. While a truly broken DKIM signature can lead to rejections, rate limiting usually stems from behavioral factors combined with authentication. For instance, if your SPF record is incorrect or if emails are forwarded through intermediaries that break SPF, it can cause the messages to appear less legitimate.
Another common cause is a high spam complaint rate or low engagement from recipients. If a significant portion of your emails are marked as spam by Gmail users, or if they consistently ignore your messages, Gmail's algorithms will interpret this as a sign of unsolicited mail, regardless of your authentication status. This will lead to them blocking (or blacklisting) your domain or IP.
Volume spikes can also trigger rate limits. Sending a much larger volume of email than usual, especially from a new or previously low-volume domain, can look suspicious to providers like Gmail. Even legitimate marketing campaigns should be warmed up to gradually build sending reputation. Finally, poor content quality, including excessive links or suspicious phrasing, can contribute to these blocklist (or blacklist) issues.
Avoid sudden, large increases in sending volume from a domain.
Engagement and reputation
Focus on sending wanted email to engaged recipients to minimize complaints and maximize positive interactions.
Strategies for resolution and prevention
The first step in resolving these rate limiting errors is to meticulously check your SPF and DKIM records. Even if they appear correct, subtle issues can cause problems. For SPF, ensure you haven't exceeded the 10-DNS lookup limit and that all legitimate sending sources are included. For DKIM, verify that your public key is correctly published in your DNS and matches the private key used for signing.
Next, examine your sending practices. Are you regularly cleaning your email lists to remove inactive or invalid addresses? A high bounce rate, even soft bounces indicating temporary issues, can negatively impact your reputation. Segment your audience and send relevant content to improve engagement, which can lead to fewer spam complaints and more positive interactions.
If you're sending from a new IP address or domain, implement a proper warming-up strategy to gradually increase volume. This signals to mailbox providers that you're a legitimate sender. Regularly check your domain's reputation in Google Postmaster Tools to identify trends in spam complaints, IP reputation, and domain reputation. This will help you proactively address issues before they lead to severe rate limiting or even blacklisting (or blocklisting).
Checking DKIM authentication results
You can examine email headers for authentication results to diagnose issues. Look for Authentication-Results headers and specifically the DKIM and SPF entries, which can reveal details about their pass/fail status and alignment. You can find more information on checking these results.
Key takeaways for reliable email delivery
DKIM domain rate limiting errors from Gmail, especially those explicitly mentioning an empty domain in the error message, highlight the intricate balance between technical authentication and sender behavior. While the error points to DKIM, the underlying causes often involve broader reputation issues or SPF misconfigurations.
By ensuring robust SPF and DKIM implementation, maintaining consistent sending volumes, and prioritizing recipient engagement, you can mitigate these issues. Regular monitoring of your domain's health and responsiveness to Gmail's guidelines are key to successful email delivery and avoiding future rate limits, (or being added to a blocklist).
Views from the trenches
Best practices
Maintain clean email lists and segment your audience to send only to engaged recipients. This reduces spam complaints and improves domain reputation.
Implement a DMARC policy with reporting to gain visibility into your email authentication status and identify potential issues.
Monitor your sending volume and gradually increase it, especially for new domains or IPs, to build trust with mailbox providers.
Common pitfalls
Ignoring DMARC reports, which can provide critical insights into authentication failures and potential spoofing attempts.
Sending to unengaged or outdated email addresses, leading to high bounce rates and spam complaints.
Sudden spikes in email volume from domains without established sending history, triggering rate limits.
Expert tips
If DKIM domain rate limiting occurs, investigate SPF failures first, as they often correlate.
A low-volume rate limit on a DKIM domain might be an early warning sign of broader reputation issues.
Pay close attention to error messages like 'DKIM domain [ 15]' as they may indicate specific system behaviors or bugs.
Expert view
Expert from Email Geeks says a bug might be causing the issue, noting the empty domain brackets in the error message.
Nov 23, 2023 - Email Geeks
Expert view
Expert from Email Geeks says that the observed rate limiting is mild and affects few senders, suggesting it could be related to domain alignment or a system bug, but not widespread issues with secondary signs.
