Why are Microsoft 365 emails being rate limited by Gmail and how can I fix it?

Key findings

• Authentication issues: A primary cause of Gmail rate limiting for M365 emails is often related to improper or missing DKIM authentication for the sender's own domain.
• Shared infrastructure impact: Microsoft 365 uses shared IP addresses, meaning the sending habits of other users on the same infrastructure can negatively affect your individual sender reputation.
• Default DKIM domains: Relying on the default "onmicrosoft.com" DKIM domain, or only on SPF (Sender Policy Framework) for authentication, may not be sufficient for Gmail's stricter requirements.
• IPv6 sensitivity: Gmail is particularly rigorous about inbound mail over IPv6, which is often used by Office 365, making proper authentication even more crucial.
• Increased scrutiny: Both Google and Microsoft are implementing new, stricter bulk email sender requirements to combat spam, which can impact even low-volume senders if they are not fully compliant.

Key considerations

• Implement custom DKIM: Ensure DKIM is properly configured for your own sending domain, rather than relying on Microsoft's default shared domain.
• Review SPF records: Verify your SPF record is correctly set up to authorize Microsoft 365 as a legitimate sender for your domain. Learn more about DMARC, SPF, and DKIM.
• Monitor deliverability: Keep a close eye on bounce messages and monitor your email delivery to Gmail to quickly identify and address any rate limiting issues.
• Comply with guidelines: Ensure your sending practices align with Gmail's sender requirements, including maintaining low spam complaint rates and easy unsubscribe options.

Key opinions

• Widespread problem: Many marketers and IT administrators report seeing similar 421-4.7.28 rate limiting errors specifically for emails sent from M365 to Gmail.
• Authentication confusion: There's a common belief that while Microsoft manages some backend configurations, the ultimate responsibility for proper domain authentication (like DKIM) falls to the sender.
• Not a personal issue: Many feel it's less about their specific sending volume or content and more about a broader issue related to Microsoft's shared IP reputation or how Gmail perceives M365 traffic.
• Impact of shared infrastructure: The collective sending behavior of all M365 users can affect the deliverability of even legitimate emails, leading to unexpected blocklisting or rate limits.

Key considerations

• Check community forums: Engage with communities and forums, as others may be experiencing similar Microsoft 365 to Gmail deliverability issues and can offer shared solutions.
• Review bounce messages: Carefully analyze the reason codes in bounce messages, such as the "421-4.7.28" error, to pinpoint the exact nature of the rate limit.
• Prioritize DKIM setup: If you're using M365, ensuring that DKIM is signed with your own domain is a critical step to improving deliverability to Gmail and Microsoft domains.
• Check email authentication status: Regularly verify your SPF and DKIM records are correctly published and aligned with your sending domain to avoid issues like common DMARC issues in M365 and Google Workspace.

Key opinions

• DKIM is paramount: Experts strongly recommend implementing DKIM with your own custom domain (d=yourdomain.com) when sending from M365, as shared default domains often have poor reputations with Gmail.
• SPF-only isn't enough: Relying solely on SPF for authentication, without DKIM, can lead to deliverability issues, particularly with Gmail, which values strong domain alignment.
• IPv6 scrutiny: Gmail applies extra scrutiny to email traffic over IPv6, a protocol often used by Office 365, making a robust authentication setup even more vital.
• Shared reputation risks: The poor reputation of shared IP addresses used by Office 365 due to other senders' bad practices can directly cause rate limiting for legitimate users.
• Source of spam: A significant volume of spam originates from Office 365, leading to stricter filtering by major mailbox providers like Gmail.

Key considerations

• Proper authentication: Ensure your email is properly authenticated with your own domain, especially setting up DKIM, to improve deliverability from M365 to Gmail.
• Understand Gmail's grouping: Recognize that Gmail can group sender reputations based on the SPF domain or SPF hostname, particularly when DKIM is absent, leading to widespread impact from a single bad actor. This can lead to temporary rate limiting due to IP reputation.
• Active monitoring: Continuously monitor your sender reputation and deliverability, as issues can arise even with seemingly small sending volumes.
• Address DKIM temporary errors: If you encounter DKIM-related issues, investigate and resolve them promptly, as these can contribute to throttling by Microsoft and other providers, as discussed in diagnosing and reducing DKIM temporary error rates with Microsoft.

Key findings

• Microsoft's new limits: Microsoft has introduced a new Tenant External Recipient Rate Limit (TERRL) of 2,000 recipients in 24 hours for M365 Exchange Online, specifically to fight spam.
• Google's bulk sender requirements: Gmail has updated its requirements for bulk senders, mandating strong authentication (SPF, DKIM, DMARC), low spam rates, and easy one-click unsubscribe options.
• Recipient rate limits: Exchange Online employs recipient rate limits to manage the volume of traffic from individual mailboxes and prevent abuse.
• IP reputation as a factor: Google's and Microsoft's systems detect "unusual rates of unsolicited mail" originating from IP addresses, indicating that IP reputation is a direct trigger for rate limiting.
• Authentication as a protective measure: Robust authentication (SPF, DKIM, DMARC) is highlighted as critical for compliance and to protect users from spam, as non-compliance can lead to temporary rate limiting.

Key considerations

• Adhere to new sender requirements: Ensure full compliance with the latest bulk email restrictions from Google and Microsoft to avoid throttling or blocks.
• Understand Microsoft's internal limits: Be aware of Microsoft's own sending limits, such as the Tenant External Recipient Rate Limit (TERRL), and how they apply to your M365 usage. Refer to our guide on why Microsoft rate limits email sends.
• Maintain strong sender reputation: Proactively manage your domain reputation by minimizing spam complaints and ensuring recipient engagement to prevent being perceived as a source of unsolicited mail. This is key to understanding your email domain reputation.
• Implement DMARC: For bulk senders, DMARC (Domain-based Message Authentication, Reporting & Conformance) is now often a mandatory requirement, providing an extra layer of protection and visibility into authentication failures.