Rate Limits
API Rate Limits
Section titled “API Rate Limits”EmBoux currently does not enforce rate limiting at the API level. The API is designed for infrastructure provisioning, not high-frequency access patterns.
Typical usage patterns:
| Operation | Expected Frequency |
|---|---|
| Create domain | Once per customer onboarding |
| Create mailbox | A few per domain setup |
| Create alias | A few per mailbox |
| Quota updates | On plan change |
| Suspend/activate | On payment events |
SMTP Sending Limits
Section titled “SMTP Sending Limits”Outbound email is controlled at three time scales, enforced in real time by the Policy Daemon:
Hourly Throttle
Section titled “Hourly Throttle”Each domain can send at most ~1/6 of its daily limit per hour (minimum 10). This prevents burning the entire daily quota in a burst, which providers flag as spam.
| Daily Limit | Hourly Cap |
|---|---|
| 200 | 33 |
| 1,000 | 167 |
| 5,000 | 835 |
| 10,000 | 1,670 |
The fraction is configurable via HOURLY_FRACTION (default: 0.167).
Daily & Monthly Limits
Section titled “Daily & Monthly Limits”Per-domain daily and monthly limits are set from the customer’s plan. See Outbound Email for details.
Spike Detection
Section titled “Spike Detection”If today’s sending volume exceeds 5x the 7-day rolling average, the domain is blocked (hard enforcement) or warned (soft enforcement). This protects against a well-behaved client suddenly sending mass email.
The multiplier is configurable per domain via spike_max_multiplier (0 = disabled).
Warm-up
Section titled “Warm-up”New domains start with a progressive daily cap. See Warm-up Profiles for details.
Recommendations
Section titled “Recommendations”- Don’t poll — Use webhooks or Odoo crons for sync, not polling loops
- Batch where possible — If creating multiple resources, do them sequentially without artificial delays
- Set reasonable timeouts — We recommend 10-15 seconds per request
- Handle errors gracefully — Retry
500errors with exponential backoff (1s, 2s, 4s) - Spread sends over time — Don’t queue thousands of emails to fire simultaneously
Future API Rate Limits
Section titled “Future API Rate Limits”When API-level rate limiting is introduced, it will follow standard HTTP conventions:
429 Too Many Requestsstatus codeRetry-Afterheader with seconds to wait- Per-key limits based on plan tier
We’ll announce changes with at least 30 days notice.
WAF Protection
Section titled “WAF Protection”The API sits behind a Web Application Firewall. To avoid being blocked:
- Set a proper
User-Agentheader (e.g.,MyApp/1.0orOdoo/19.0 (EmBoux Core Sync)) - Don’t send malformed or extremely large payloads
- Don’t make requests from known-bad IP ranges