Last updated: July 2026

In short: When Gmail rejects your outbound mail with error codes, the root cause is almost always missing email authentication records (SPF/DKIM), broken reverse DNS (PTR) configuration, or elevated spam complaint rates. Review the exact bounce message definitions below along with actionable steps to resolve them immediately.

Receiving a bounce message from Google’s inbound mail relays (gmail-smtp-in.l.google.com) can bring important communication to a halt. Following Google’s enforcement of strict sender guidelines, Gmail requires authenticated sending infrastructure and monitors domain reputation closely via Google Postmaster Tools. To ensure uninterrupted delivery, senders must keep their user-reported spam rate strictly within acceptable thresholds: below 0.3%.

Below is a detailed diagnostic dictionary of the most common Gmail SMTP error messages—including their exact text, underlying causes, concrete resolution steps, and realistic recovery timelines.


Error 550 5.7.26 — Sender Unauthenticated

Exact error string from Gmail

This email has been blocked because the sender is unauthenticated. Gmail requires all senders to authenticate with either SPF or DKIM.

Meaning and root cause

Gmail is rejecting your email permanently (550 hard bounce) because the message lacks both a valid Sender Policy Framework (SPF) record and a valid DomainKeys Identified Mail (DKIM) signature. To protect users against spoofing and phishing, Google enforces a mandatory authentication requirement across all inbound messages.

Concrete fix steps

  1. Configure SPF or DKIM: Publish a valid SPF record in your domain’s DNS settings authorizing your mail server’s IP address, or enable DKIM signing within your email provider or server control panel.
  2. Verify SPF syntax: Ensure that your domain’s SPF record correctly includes your mail host (include:) or IP address (ip4:/ip6:).
  3. Check domain alignment: If you have published a DMARC record, confirm that the domain in your DKIM signature (d=) or SPF envelope (Return-Path) aligns with the visible From header.

Realistic timeline

Once your SPF or DKIM DNS records are published, global propagation typically takes between 15 and 60 minutes. As soon as Google’s edge resolvers detect the valid authentication records, inbound mail acceptance resumes immediately.


Error 421 4.7.28 — Unusual Sending Rate / Temporary Rate Limit

Exact error string from Gmail

Gmail has detected an unusual rate of email. To protect our users from spam, email has been temporarily rate limited.

Meaning and root cause

This is a temporary rejection (421 soft bounce). Google’s anti-abuse systems have detected an abnormal surge in email traffic originating from your IP address or domain within a short timeframe, or recent messages have generated elevated user spam complaints.

Concrete fix steps

  1. Throttle sending volume: Slow down the connection rate and delivery throughput from your mail server to Google relays (for example, by adjusting concurrency limits in Postfix or staggering campaign batches).
  2. Audit Postmaster Tools: Log in to Google Postmaster Tools for your sending domain and verify whether your spam complaint rate has exceeded the critical threshold (below 0.3%.).
  3. Respect retry backoffs: Do not configure your server to aggressively retry bounced messages every few seconds. Allow normal, exponential retry intervals to elapse.

Realistic timeline

Rate limit blocks (421) clear automatically once your sending volume stabilizes and the temporary restriction window expires. The typical cooldown period ranges between 2 and 24 hours.


Error 4.7.25 — Missing or Mismatched Reverse DNS (PTR Record)

Exact error string from Gmail

The sending IP address for this message doesn't have a PTR record, or the PTR record's forward DNS entry doesn't match the sending IP address. To protect users from spam, your email has been temporarily rate limited.

Meaning and root cause

Your mail server’s IP address fails forward-confirmed reverse DNS (FCrDNS) verification. Either your IP address has no reverse DNS (PTR) record assigned at your hosting provider, or the domain name returned by the PTR lookup does not resolve back (A or AAAA record) to that exact sending IP address.

Concrete fix steps

  1. Assign a PTR record: In your server hosting control panel, assign a unique, fully qualified hostname (mail.yourdomain.com) as the reverse DNS PTR record for your IPv4 and IPv6 addresses.
  2. Align forward DNS: In your domain’s DNS management panel, ensure that an A (and AAAA) record exists for mail.yourdomain.com pointing exactly to your mail server’s public IP address.

Realistic timeline

Updating a PTR record requires your hosting provider’s authoritative DNS servers to propagate changes, which typically takes between 30 minutes and 4 hours before clearing Google’s DNS caches.


Error 550 5.7.1 — Prohibited by User or Domain Policy

Exact error string from Gmail

The user or domain that you are sending to (or from) has a policy that prohibits the email that you sent. Contact your domain administrator for assistance.

Meaning and root cause

This permanent rejection (550 5.7.1) occurs when an administrative policy explicitly blocks the transmission. Commonly, this happens when your domain publishes a strict DMARC policy (p=reject) and your outbound message fails SPF and DKIM alignment, or when the receiving Google Workspace organization maintains custom administrative content filters or routing blocks.

Concrete fix steps

  1. Audit third-party senders: Ensure that all marketing tools, CRM platforms, or forwarding services sending mail on your behalf are properly authenticated with DKIM and SPF to pass DMARC.
  2. Contact the recipient administrator: If you are delivering mail to a Google Workspace enterprise organization, ask their IT administrator to check whether custom compliance filters or restricted sender lists are blocking your domain or IP.

Realistic timeline

As soon as the underlying DMARC misalignment is corrected or the recipient administrator removes the restriction from their Google Workspace control panel, delivery resumes immediately.


Verifying your configuration

To verify that your DNS authentication records (SPF, DKIM, DMARC) and reverse DNS (PTR) setup comply with Google’s sender standards, run a full health check using the free MXAudit scanner.

Further reading