Contents
Gmail is the largest single destination for most high-volume senders and operates the most sophisticated reputation filtering system of any mailbox provider. Its requirements changed materially in February 2024 with mandatory bulk sender compliance rules applying to all senders exceeding 5,000 daily messages to Gmail addresses. Getting PowerMTA configuration right for Gmail is not optional — it is the foundation of any serious sending operation.
This reference covers the complete PowerMTA domain block for Gmail, the 2024 bulk sender requirements, correct response to 421 error codes, Postmaster Tools monitoring integration, and the full authentication stack Gmail evaluates for inbox placement decisions.
Gmail Domain Block Configuration
The PowerMTA domain block for Gmail controls connection behavior, throttle rates, retry logic, and DKIM signing configuration. Values must be calibrated to your IP reputation tier — not to generic defaults that ignore your sending history.
domain gmail.com {
virtual-mta-pool gmail-pool
# Concurrent connections — calibrate to Postmaster Tools tier
# HIGH reputation: 6-10 | MEDIUM: 3-5 | LOW: 1-2
max-smtp-out tuning 8
max-conn-rate 1/s
max-msg-rate 300/h
retry-after 15m
mx-rollup gmail.com
dkim-sign domain="yourdomain.com" \
key-file="/etc/pmta/dkim/yourdomain.private" \
selector="s1" \
header-list="From:To:Subject:Date:Message-ID:Content-Type"
}
domain googlemail.com {{ mx-rollup gmail.com }}
The mx-rollup directive is critical: Gmail uses multiple MX hosts that all share the same reputation pool. Without mx-rollup, PowerMTA opens separate connection pools for each MX host and may exceed Gmail's connection limits.
Gmail Bulk Sender Requirements 2024
Google's February 2024 requirements apply to any sender exceeding 5,000 daily messages to Gmail. Non-compliance results in delivery rejection. These are enforced requirements, not recommendations.
| Requirement | Status | Verification Method |
|---|---|---|
| SPF authentication | Required | dig TXT yourdomain.com |
| DKIM with 1024+ bit key | Required | Accounting log: dkim=pass |
| DMARC policy published | Required | dig TXT _dmarc.yourdomain.com |
| Spam rate below 0.1% | Required | Google Postmaster Tools |
| List-Unsubscribe one-click (RFC 8058) | Required for bulk | Inspect message headers |
| Honour unsubscribes within 2 days | Required | Suppression system audit |
| PTR record matching sending domain | Strongly recommended | dig -x [IP] |
Gmail 421 Error Codes and Correct Response
Gmail uses specific SMTP response codes with distinct diagnostic meaning. Reading and responding correctly to these codes determines whether a deferral resolves itself or escalates to a block.
| Response Code | Meaning | Correct Response |
|---|---|---|
421 4.7.0 | Reputation-based connection refusal | Reduce max-smtp-out 50%, check spam rate, increase retry-after to 30m |
421 4.7.28 | IP not allowed — unauthenticated | Verify SPF includes sending IP, check DKIM signing |
550 5.7.1 | Message rejected — spam or policy | Check Postmaster Tools spam rate; if above 0.1% pause and investigate |
550 5.7.26 | SPF/DKIM/DMARC alignment failure | Debug DMARC alignment — signing domain must match From: domain |
452 4.5.3 | Too many messages this session | Reduce messages per connection via max-msg-per-conn |
Google Postmaster Tools Integration
Google Postmaster Tools provides domain-level and IP-level reputation data for Gmail delivery. Access at postmaster.google.com. Requires domain verification via a DNS TXT record. Once verified, it shows spam rate, domain reputation tier, IP reputation, delivery errors, and authentication summary.
- HIGH reputationNormal delivery. Maintain current practices. No configuration changes warranted.
- MEDIUM reputationSome messages routed to spam. Investigate complaint sources by segment. Do not wait for further degradation.
- LOW reputationSignificant filtering. Reduce volume by 70%, pause non-transactional sends, audit list quality.
- BAD reputationMost messages blocked. Complete operational review required — list quality, authentication, possibly new IP warming.
# Correlate PowerMTA accounting log with Postmaster Tools lag
# Postmaster Tools lags 24-72h behind actual send events
# Monitor accounting log for leading indicators:
grep "gmail.com" /var/log/pmta/acct-YYYYMMDD.csv | \
awk -F, '$8 ~ /^421/ {count[$8]++} END {for(c in count) print count[c], c}' | \
sort -rn
# high deferral rate diagnosis above 5% = investigate
# 421 4.7.0 pattern = reputation-based throttle in effect
# Correlate with Postmaster Tools data 24-72h later
Spam Rate Thresholds and Operational Response
Gmail measures spam rate as the proportion of messages Gmail users report as spam. This is recipient-reported, not content-filtered — a relevant message from an unremembered opt-in generates the same spam signal as a genuine spam message. The metric is behavioral.
| Spam Rate | Impact | Required Action |
|---|---|---|
| 0.00 – 0.07% | Normal delivery | Maintain practices |
| 0.07 – 0.10% | Minor deferral increase | Investigate complaint sources by segment |
| 0.10 – 0.20% | Inbox placement degrades 10–30% | Suppress non-engaged segments; reduce volume |
| 0.20 – 0.40% | Significant spam folder routing | Pause non-transactional; full list audit |
| Above 0.40% | Active delivery filtering | Stop sending; rebuild from engaged only |
DKIM and DMARC Configuration for Gmail
Gmail evaluates DKIM and DMARC as sender authentication signals. DKIM alone is insufficient — DMARC alignment requires that the DKIM signing domain match the From: header domain. This aligned authentication is what Gmail uses for reputation scoring.
# Generate 2048-bit DKIM key openssl genrsa -out /etc/pmta/dkim/yourdomain.private 2048 openssl rsa -in /etc/pmta/dkim/yourdomain.private -pubout | \ grep -v "^-" | tr -d '\n' # Publish result as: s1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=[KEY]" # DMARC progression for Gmail deliverability: # Phase 1: p=none; rua=mailto:dmarc@yourdomain.com (monitoring) # Phase 2: p=quarantine; pct=25 (partial enforcement) # Phase 3: p=reject (full enforcement) # _dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com"
List-Unsubscribe Header Configuration
Gmail's bulk sender rules mandate List-Unsubscribe with RFC 8058 one-click unsubscribe for senders over 5,000 daily messages. PowerMTA can inject these headers automatically or pass them through from your sending application.
# PowerMTA inject-header for List-Unsubscribe (fallback method)
domain gmail.com {{
inject-header "List-Unsubscribe: , "
inject-header "List-Unsubscribe-Post: List-Unsubscribe=One-Click"
}}
# Preferred: let your sending application set these per-message
# with an encrypted recipient identifier for automated suppression
Frequently Asked Questions
Operating PowerMTA at production volume?
We manage PowerMTA environments for high-volume senders — configuration, IP warming, daily reputation monitoring, and operational response. Fully managed. No self-service.
