Email delivery to gmail.com rate limited with "421 4.7.30 Your email has been rate limited because DKIM authentication didn't pass"
search cancel

Email delivery to gmail.com rate limited with "421 4.7.30 Your email has been rate limited because DKIM authentication didn't pass"

book

Article ID: 399006

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When attempting to deliver email to gmail.com the destination mail server is rate limiting email delivery with the following response:

421-4.7.30 Your email has been rate limited because DKIM authentication didn't
421-4.7.30 pass for this message. Gmail requires all bulk email senders to
421-4.7.30 authenticate with DKIM.
421-4.7.30
421-4.7.30 Authentication results:
421-4.7.30 DKIM = did not pass
421-4.7.30 To set up DKIM for your sending domains, visit
421-4.7.30 https://support.google.com/a?p=turn-on-dkim

Cause

The Google email servers rate limit email deliver from sending domains which do not DKIM sign outbound email. Messaging Gateway has either not been configured to DKIM sign email from the sending domain or has not properly configured the DKIM TXT records in the DNS for the sending domain.

Resolution

Configuring Messaging Gateway to DKIM sign outbound email

Adding a Domain Key to Messaging Gateway

  1. In the Control Center, click Administration > Settings > Certificates
  2. Click the Domain Keys tab.
  3. Click Add.
  4. In the Domain key name field, type a unique name for the domain key.
  5. In the Key length drop-down list, choose a length, in bits, for the RSA key.

    The default key length is 1024 bits.
    Many DNS servers have a 256 character limitation for DNS records. Records that are longer than 256 characters may fail to load or the DNS server may truncate them. To avoid this issue, use 1024 length DKIM keys. To use a 1536-bit key or 2048-bit key, split the DNS entry into multiple lines of less than 256 characters.

  6. Click Create.

Configuring DKIM Signing

  1. In the Messaging Gateway Control Center, click Protocols > SMTP > Domains
  2. Select the domain for which you want to enable DKIM signing and click Edit
  3. On the Edit Domain page, click the Delivery tab
  4. In the DomainKeys Identified Mail panel, click Enable DKIM signing for messages from this domain.
    Note: SMG signs email based on the sending domain (From:) not the destination domain (To:)
  5. In the Base domain field, enter the domain name to be used as part of the DKIM signature. For example: example.com
  6. In the Selector box, type a selector string that receiving email servers can use to perform DNS lookup to retrieve your public key.

    The selector identifies the key that SMG uses to sign the messages that are sent from this domain. Enter a string of up to 63 lower case alphanumeric characters (a-z or 0-9).
    For more information on the use of selectors, see RFC 4871, Section 3.1.
    https://tools.ietf.org/html/rfc4871#section-3.1

  7. From the Signing key drop-down list, choose the domain key that you want to use to sign messages from this domain.
  8. Click Save
Powered by Wolken Software