Why are my Microsoft 365 emails being rate limited by Gmail?

Gmail often rate limits Microsoft 365 emails due to shared IP address reputation issues or, more commonly, a lack of proper DKIM authentication for your custom domain. If your DKIM record isn't aligned with your sending domain, Gmail might perceive the emails as less trustworthy, leading to rate limiting or even outright rejection.

What does the error "421-4.7.28 unusual rate of unsolicited mail" mean?

The error message 421-4.7.28 Our system has detected an unusual rate of unsolicited mail from Gmail indicates that your sending IP (or associated domain reputation) has been flagged for sending a high volume of emails that are perceived as spam. This can be due to poor email practices, a compromised account, or, for Microsoft 365 users, a reputation issue with the shared IP address or lack of DKIM alignment .

Is SPF enough, or do I also need DKIM for Microsoft 365 emails?

While SPF helps authenticate your sending domain, DKIM provides a cryptographic signature for each email, verifying that the content hasn't been tampered with and that the sender is authorized. For Gmail , both SPF and DKIM alignment are crucial for strong sender reputation and optimal deliverability.

How can I monitor my email deliverability to Gmail from Microsoft 365?

You can check your DMARC reports , which aggregate data from receivers like Gmail , to see if your emails are passing authentication checks . Additionally, using Google Postmaster Tools can provide insights into your domain's reputation with Gmail .

Why are Microsoft 365 emails being rate limited by Gmail and how can I fix it? - Troubleshooting - Email deliverability - Knowledge base

Many organizations relying on

Microsoft 365 for their email infrastructure have encountered a frustrating issue: their emails are being rate limited by

Gmail. This often manifests as bounce messages indicating 421-4.7.28 unusual rate of unsolicited mail, even when sending a relatively small volume of legitimate emails. It can feel like your legitimate communication is being unfairly penalized, disrupting critical business operations.

This problem stems from a combination of factors, including the nature of shared IP addresses used by large email providers and how email authentication is configured. The good news is that understanding these underlying causes is the first step toward implementing effective solutions. I'll explain why this happens and what practical steps you can take to resolve it.

What is email rate limiting by Gmail?

Email rate limiting is a common practice among major mailbox providers, including Gmail, to protect their users from spam and abuse. It essentially means that the number of emails an IP address or domain can send within a specific timeframe is temporarily restricted. When Gmail detects suspicious sending patterns, it might impose these limits to prevent potential spam floods, as detailed in Google's documentation on email sending limits.

One of the primary reasons Microsoft 365 emails can be rate limited is the use of shared IP addresses. Like many large email service providers, Microsoft routes emails through shared IP pools. If other senders on the same shared IP address engage in activities that trigger spam filters, such as sending unsolicited mail, the reputation of the entire IP can suffer. This can lead to legitimate emails from other Microsoft 365 tenants, even those with good sending practices, being caught in the crossfire and experiencing rate limiting or bounces.

The specific error message 421-4.7.28 Our system has detected an unusual rate of unsolicited mail directly points to a sender reputation issue, often at the IP level. Gmail maintains a detailed reputation system for IP addresses and domains. If the shared Microsoft 365 IP has been flagged due to volume or content from other senders, it will affect your emails too. This is widely discussed by users facing similar issues, for example, on Reddit forums about M365 sending issues.

The critical role of DKIM and SPF

While shared IP reputation is a factor, a more common and direct cause of Gmail rate limiting Microsoft 365 emails is often related to incomplete or incorrect email authentication. Email authentication protocols such as SPF, DKIM, and DMARC are essential for verifying that emails are legitimate and come from authorized senders.

Many Microsoft 365 tenants, particularly those that haven't explicitly configured it, may still be relying on the default .onmicrosoft.com domain for their DKIM signatures. While SPF might align with your custom domain, a lack of DKIM alignment with your primary sending domain (i.e., d=yourdomain.com rather than d=onmicrosoft.com) can significantly degrade your sender reputation with Gmail. Unauthenticated emails are highly scrutinized.

Proper DKIM implementation means your domain is explicitly vouching for the email's integrity, even when sent via a large provider like Microsoft. Without it, Gmail might fall back to assessing the sender solely on the originating IP, which, as discussed, could be tainted by other users. This can lead to emails being deferred or sent to spam, even if your SPF record is correctly configured.

A strong DMARC policy further enhances this by telling receiving servers what to do with emails that fail SPF or DKIM checks and provides valuable reporting on authentication failures.

Addressing the rate limiting issue

To effectively combat rate limiting by Gmail when sending from Microsoft 365, focusing on robust email authentication is paramount.

Default Microsoft 365 Authentication

Shared IPs: Emails sent from IPs shared with other tenants, potentially impacting your reputation due to their actions.
Default DKIM: Often uses the .onmicrosoft.com domain for DKIM, which Gmail might view with lower trust compared to your custom domain.
SPF reliance: Heavier reliance on SPF alignment, which alone may not be sufficient for robust deliverability to Gmail.
Lower reputation: Your email might be grouped with other less reputable senders on the same shared infrastructure.

Custom Domain Authentication

Dedicated reputation: Your sender reputation is tied directly to your domain's sending behavior, not shared IPs.
Aligned DKIM: Configuring DKIM for your primary sending domain (d=yourdomain.com) significantly boosts trust with Gmail.
Full authentication: A combination of aligned SPF, DKIM, and DMARC provides the strongest signal of legitimacy.
Improved deliverability: Leads to better inbox placement and reduced instances of rate limiting or email blocking.

The most crucial step is to ensure that DKIM is properly configured for your custom domain within Microsoft 365. This involves generating DKIM CNAME records in your Microsoft 365 admin center and adding them to your DNS. Once active, these records will allow Gmail (and other mailbox providers) to verify that emails coming from your domain via Microsoft 365 are genuinely authorized.

Example DKIM CNAME Records for Microsoft 365

Host name: selector1._domainkey
Points to address or value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Host name: selector2._domainkey
Points to address or value: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

After implementing DKIM, it's crucial to monitor your DMARC reports. These reports provide invaluable insights into how your emails are being authenticated by various mailbox providers, including Gmail. You'll be able to see if your DKIM and SPF records are passing authentication checks and identify any potential issues that could lead to future rate limiting or delivery problems. Regularly reviewing these reports is a proactive measure for maintaining good deliverability.

Beyond authentication: maintaining long-term deliverability

Beyond technical authentication, maintaining a healthy sender reputation is crucial for long-term deliverability and avoiding blocklists (or blacklists). Gmail closely monitors how recipients interact with your emails. High engagement rates, low spam complaint rates, and minimal bounces contribute to a positive reputation. Conversely, sending to invalid or disengaged addresses can quickly degrade your standing. This is a critical aspect of improving your domain reputation.

If your organization sends bulk emails regularly, relying solely on Microsoft 365's native sending capabilities might not be sufficient or optimal. Microsoft has its own Tenant External Recipient Rate Limit to combat spam, which can impact legitimate high-volume senders. For marketing campaigns or transactional emails, consider integrating a dedicated email service provider (ESP) or an SMTP relay service that specializes in bulk sending. These services are designed to handle high volumes, manage IP reputation, and offer advanced deliverability features that Microsoft 365 isn't optimized for.

Finally, continuous monitoring of your email deliverability is key. Regularly check your sender reputation and monitor various blocklists for your IP addresses and domain. Proactive monitoring allows you to detect issues early and address them before they escalate into severe rate limiting or blocking. Implementing DMARC reports provides a stream of data that can help you identify authentication failures and sources of potential spam.

Views from the trenches

Best practices

Always configure DKIM for your custom domain, even if you're using a major email service provider.

Regularly review your DMARC reports to identify any authentication failures or unauthorized sending.

Maintain a clean and engaged email list to ensure positive recipient interactions.

For high-volume sending, consider using a dedicated email service provider rather than a shared Microsoft 365 infrastructure.

Monitor your sender reputation and check for any blocklist (or blacklist) listings proactively.

Common pitfalls

Relying solely on SPF authentication without DKIM, which can lead to lower trust with some mailbox providers.

Ignoring error messages like 'unusual rate of unsolicited mail,' assuming it's a transient issue.

Not configuring DKIM for your custom domain, thereby relying on the provider's default domain reputation.

Sending bulk emails directly from Microsoft 365, which is not designed for mass marketing.

Failing to segment lists and sending to unengaged recipients, leading to higher spam complaints.

Expert tips

A DKIM signature aligned with your own domain is a powerful signal of legitimacy to Gmail and other receivers.

Even if your SPF is correct, a missing or misconfigured DKIM can lead to significant deliverability problems.

Shared IP pools can carry reputation burdens from other senders, making your authentication even more critical.

Don't overlook the potential impact of IPv6; Gmail can be particularly strict about mail received over IPv6 without strong authentication.

Proactively address any DMARC 'fail' results to prevent future rate limiting or blocking.

Expert view

An expert from Email Geeks says that when Gmail indicates an IP issue, it often points to problems with DKIM or SPF. They have personally seen cases where implementing DKIM for the custom domain, instead of relying on the default Microsoft domain, resolved rate limiting.

October 21, 2023 - Email Geeks

Expert view

An expert from Email Geeks notes that many providers' default shared DKIM domains have poor reputations, making it essential to implement DKIM with your own domain (d=yourdomain.com) to satisfy Gmail.

October 22, 2023 - Email Geeks

Ensuring reliable email delivery

Experiencing rate limiting from Gmail when sending from Microsoft 365 can be a challenging deliverability problem. However, by focusing on robust email authentication, particularly configuring DKIM for your custom domain, and maintaining vigilant sender reputation management, you can significantly improve your email delivery. It's about providing Gmail with the clear signals it needs to trust your mail.

Staying proactive with your email setup and regularly reviewing performance will help ensure your messages consistently reach the inbox, avoiding unnecessary disruptions to your communication flow.