CASE STUDY

How Saleshero fixed DKIM and lifted DMARC compliance from 86% to 99%

DMARCeye revealed that Google Workspace was signing Saleshero's emails with a default key that fails every time the email passes through forwarding or a third party. After deploying their own DKIM key, the fail rate dropped by 99%.

saleshero
THE CLIENT

About Saleshero

B2B sales academy and coaching for smaller businesses. They help founders, CEOs and sales teams grow — from setting up sales strategy through training sales skills to long-term coaching of leaders.

Frame 427319730

Alexander Raiman and Fares Měchura — former sales leaders from companies like Socialbakers, Khoros and AnyDesk. Since 2020 they have coached over 150 people.

VISIT WEBSITE

Saleshero Bootcamp — 3-month intensive B2B sales training with online sessions and a self-study course.

Elite Program — 12-month support program for CEOs, owners and senior managers.

Saleshero Podcast — Weekly B2B sales tips from Saleshero founders Alex and Fares.. 

 

Results in numbers

Email is a critical tool for Saleshero — all communication with leads, clients and partners flows primarily through Google Workspace. If a sales message fails to deliver or ends up in spam, Saleshero loses an opportunity. That is why deliverability and email authentication had to be in order.

BEFORE THE FIX

86.50%

DMARC compliance for Google sending. 1,109 fail emails out of 8,216 — risk of spam folders and lost deliverability.

AFTER DKIM DEPLOYMENT

99.89%

Only 3 fail emails out of 2,803. Deliverability
stabilized.

Fail rate drop

−99.2%

from 13.50% to 0.11%

Compliance lift

+13.4 pp

across Google source

Days with ≥1 fail

72% → 6%

before / after fix

Day of deployment

675 / 0

pass / fail emails

Starting situation

Saleshero sends from the domain saleshero.cz primarily through Google Workspace — sales communication, follow-ups, business proposals. The domain had SPF and DMARC deployed in monitoring mode (p=none), and Google was signing outgoing emails with a DKIM signature. The problem was that Google was signing emails with a default key from the technical sub-domain saleshero-cz.20230601.gappssmtp.com — not directly from the saleshero.cz domain. This is the standard fallback when a Google Workspace customer hasn't set up their own DKIM key. From a DMARC validation perspective, this is a problem. DMARC requires that the domain in the DKIM signature matches the domain in the <From> field (so-called DKIM alignment). The default key signs under the gappssmtp.com domain, but the email comes from @saleshero.cz. Alignment fails → DMARC fails.

What DMARCeye revealed

The reports showed that 4,651 of 5,935 emails from a single Google IP (209.85.220.41) were signed with the default gappssmtp.com key — DKIM technically passing, but DMARC failing due to the mismatched domain. In contrast, 1,226 emails with the proper selector google._domainkey.saleshero.cz passed both DKIM and DMARC without issues.

44%

Of forwarded emails — exactly where mismatched DKIM hurts the most. When a message is forwarded, SPF breaks and DMARC can only survive thanks to a properly aligned DKIM signature.

The scenario that exposed it

Here is a concrete example from the data — IP 2a00:1450:4864:20::149, where Saleshero recorded 173 fail emails. Most of them went to a single company:

A salesperson writes to a client at @testcompany.eu

  1. A sales email goes from salesperson@saleshero.cz via Google Workspace to jan.novak@testcompany.eu
  2. The testcompany.eu server has email forwarded to his personal Gmail — the message moves on
  3. During that forward the sender changes from Google (Saleshero) to testcompany.eu server → SPF breaks
  4. Without a properly aligned DKIM signature, DMARC has nothing to fall back on → fail. Gmail receives the email and may flag it as suspicious.
From the data: 177 such emails from this single IP, only 2.3% compliance. And this is just one client — the same pattern repeated across dozens of other companies.

This is not an exception, this is normal B2B reality. Clients have aliases, secretaries with forwarded mailboxes, mailing lists, old company forwarded to new company, contact forms, third-party platforms sending on their behalf.

Forwarding is the rule, not the anomaly — and for Saleshero, who closes business meetings and sends proposals via email, deliverability is directly tied to revenue.

THE PROCESS

Step-by-step Resolution of the Issue

From initial problem identification to final resolution in just 5 steps — powered by DMARCeye monitoring, giving you full visibility and control throughout the entire process.

 

STEP 1

Identification in DMARCeye. In the drilldown for saleshero.cz, we saw that emails were signed with the default gappssmtp.com key, which doesn’t align with the From domain.

STEP 2

Generated a custom DKIM key. In the Google Workspace admin console we generated a 2048-bit DKIM key directly for the saleshero.cz domain.

STEP 3

Published the TXT record in DNS. We added the record for the selector google._domainkey.saleshero.cz at the DNS provider.

STEP 4

Activated signing. After DNS propagation we enabled signing with the new key in Google Workspace, which retired the default key.

STEP 5

Verification in DMARCeye. On the very first day after activation, 675 emails went through Google with zero fails. In the following weeks the fail rate stayed practically at zero.

TESTIMONIAL

Everything Seemed Fine.
It Wasn’t.

How DMARCeye helped us uncover a hidden deliverability risk in Google Workspace.

Before we started using DMARCeye, we had no idea we could even have a problem. Weassumed that since we use Google Workspace, everything was automatically takencare of. It was a real surprise to find out that a meaningful share of our emails couldend up somewhere other than our clients' inboxes.Identifying and fixing the issue itself was straightforward — but the real key momentfor us was bringing a DMARC monitoring service like DMARCeye into our tech stack.That's what helped us find the gap and close it.—

1758127399783
Co-founder, Saleshero Alexander Raiman
KEY TAKEAWAY

The Hidden DKIM Problem in Google Workspace

DKIM in Google Workspace “works” out-of-the-box — Google always signs emails, whether you set up your own key or not. That’s the trap. The default key under the gappssmtp.com domain doesn’t pass DMARC alignment, so authentication of every email that hits a forwarder or a third-party service can fail.

In DMARC monitoring mode (p=none), “nothing happens” — emails are still delivered, and the problem remains hidden until Gmail or Yahoo start routing business messages to spam at scale.

For Saleshero, it took about two business days from problem identification to activation of their own DKIM key. Without DMARC reports, the issue would likely only surface when a major client said "I'm not getting your emails".