sfw/fix
421 4.7.28 high

421-4.7.28 Gmail Unusual Rate of Unsolicited Mail (IP Rate Limited)

Gmail is temporarily deferring your mail after flagging an unusual volume of unsolicited mail from your IP or domain.

What you see

421-4.7.28 Our system has detected an unusual rate of unsolicited mail
421-4.7.28 originating from your IP address. To protect our users from spam,
421 4.7.28 mail sent from your IP address has been temporarily rate limited.

What’s actually happening

Messages to Gmail/Workspace recipients stop going through and your queue fills with 421-4.7.28 deferrals. The 4.x.x class means temporary — Gmail is throttling, not bouncing, so the mail keeps retrying and may eventually deliver or time out. Delivery to non-Gmail domains usually still works, which points the finger at your reputation with Google specifically. The error sometimes names your DKIM domain, SPF domain, or a URL in the message instead of the IP.

Common causes

  • A genuine volume spike from your IP — a campaign blast, a new sending pattern, or a host you share an IP with — tripped Gmail's rate limiter.
  • Weak or failing authentication: missing/misaligned SPF, DKIM, or a DMARC record, so Gmail can't tie the mail to a trusted identity.
  • Poor list hygiene — sending to stale addresses, spam traps, or recipients who didn't opt in — driving spam complaints up.
  • A compromised account or script on your network sending spam through the same IP, dragging the whole IP's reputation down.
  • Sending from a shared/host IP whose reputation was damaged by another tenant.

How to fix it

  1. Pause and slow the send rateStop the blast. 4.7.28 is a soft deferral that clears as your reputation recovers, so resume at a much lower volume and ramp up gradually rather than hammering the queue, which only reinforces the throttle.
  2. Fix authentication firstPublish and align SPF, DKIM, and DMARC for the sending domain. Confirm with a test message to a Gmail account and check Show original — SPF, DKIM, and DMARC should all read PASS. Google's 2024 sender rules treat missing auth as a strong spam signal.
  3. Clean the list and cut complaintsRemove bounces, stale and unengaged addresses, and anything you can't prove opted in. Make unsubscribe one click and honor it fast. In Google Postmaster Tools, keep the spam-complaint rate under 0.3% (ideally below 0.1%).
  4. Find any compromised sender on the IPAudit who/what is sending through that IP. Look for a hacked mailbox, an open web form, or a rogue script blasting mail. On a shared host, ask the provider whether a neighbor torched the IP and request a dedicated IP if so.
  5. Monitor reputation in Postmaster ToolsAdd the domain to Google Postmaster Tools and watch IP/domain reputation, spam rate, and authentication results. Wait for reputation to climb back to Medium/High before returning to normal volume.

Stop it recurring

Authenticate every message (SPF/DKIM/DMARC), keep complaint rate under 0.3%, and ramp volume gradually instead of spiking.

Related errors

550 5.7.1 Unable to Relay

high

The receiving server refuses to relay your message because the connection isn't authenticated or the recipient isn't a local domain.

550 5.7.1 Message rejected by policy (DMARC/SPF/DKIM or blocklist)

high

The receiving server accepted the connection but refused the message on policy grounds — authentication failure or a bad sender reputation.

550 5.1.1 User unknown / recipient address does not exist

medium

A hard bounce: the mailbox in the RCPT TO doesn't exist on the receiving server, so delivery permanently fails.

421 4.7.0 Temporary deferral / too many connections / rate limited

medium

A soft bounce: the receiving server is throttling you for sending too fast or opening too many connections, and asks you to slow down and retry.