CASE STUDY

How Saleshero Fixed DKIM and Lifted DMARC Compliance from 86% to 99.9%

DMARCeye revealed that Google Workspace was signing Saleshero's emails with a default key that fails every time the email passes through forwarding or a third party. After deploying their own DKIM key, the fail rate dropped to almost zero.

saleshero
THE CLIENT

About Saleshero

Saleshero is a B2B sales academy for smaller businesses. They help founders, CEOs and sales teams grow — from setting up sales strategy, to training employees in sales skills, to long-term coaching of leaders.

Frame 427319730

Founded by Alexander Raiman and Fares Měchura — former sales leaders from companies like Socialbakers, Khoros and AnyDesk. Since 2020 they have coached over 150 business leaders. 

VISIT WEBSITE

What Saleshero Offers

Saleshero Bootcamp — 3-month intensive B2B sales training with online sessions and a self-study course.

Elite Program — 12-month support program for CEOs, owners and senior managers.

Saleshero Podcast — Weekly B2B sales tips from Saleshero founders Alex and Fares. 

 

Results in Numbers

Email is a critical tool for Saleshero, because all communication with leads, clients and partners flows primarily through Google Workspace. If a sales message fails to deliver or ends up in spam, Saleshero loses an opportunity. This is why deliverability and email authentication had to be in perfect order.

BEFORE THE FIX

86.50%

DMARC compliance for Google sending. Of 8,216 emails, 1,109 failed DMARC, leading to significant deliverability losses.

AFTER DKIM DEPLOYMENT

99.89%

Email delivery stabilized — out of 2,803 emails, only 3 failed DMARC's checks.

Failure rate drop

−99.2%

from 13.50% to 0.11%

Compliance lift

+13.4 pp

across Google sources

Days with ≥1 DMARC fail

72% → 6%

before / after fix

First day after fix:

675 / 0

emails passed / failed DMARC

Starting Situation

Saleshero sends from the domain saleshero.cz primarily through Google Workspace — sales communication, follow-ups, business proposals. The domain had SPF and DMARC deployed in monitoring mode (p=none), and Google was signing outgoing emails with a DKIM signature. The problem was that Google was signing emails with a default key from the technical sub-domain saleshero-cz.20230601.gappssmtp.com — not directly from the saleshero.cz domain. This is the standard fallback when a Google Workspace customer hasn't set up their own DKIM key.

From a DMARC validation perspective, this is a problem, as DMARC requires that the domain in the DKIM signature matches the domain in the <From> field (so-called DKIM alignment). In Saleshero's case, the default key signed under the gappssmtp.com domain, but the emails came from @saleshero.cz. Alignment failed, so DMARC did, too.

What DMARCeye Revealed

The reports showed that 4,651 of 5,877 emails from a single Google IP (209.85.220.41) were signed with the default gappssmtp.com key; DKIM was technically passing here, but DMARC failed due to the mismatched domain. In contrast, 1,226 emails with the proper selector, google._domainkey.saleshero.cz, passed both DKIM and DMARC.

11.1%

This wasn't a Saleshero fluke. Roughly 11% (1 in 9) of Google-sent messages in DMARCeye's Q1 2026 dataset fails DKIM the same way. As our report notes, this almost always comes from the sender side, not Google. When a customer never replaces Google Workspace's default DKIM key, the mail fails alignment the moment it is forwarded or relayed.

 
 

The Scenario That Exposed It

An illustrative example from the data: Saleshero recorded 177 failed emails from IP address 2a00:1450:4864:20::149, most of which went to a single company.

How things typically go wrong

  1. A sales email goes from salesperson@saleshero.cz via Google Workspace to john.doe@testcompany.eu
  2. The testcompany.eu server forwards the email to his personal Gmail
  3. During the forward, the sender changes from Google (Saleshero) to testcompany.eu's server, and SPF breaks
  4. Without a properly aligned DKIM signature, DMARC has nothing to fall back on, so it fails, and John Doe's Gmail flags it as suspicious.

This is how 177 Saleshero emails to just one client company failed DMARC; the same pattern repeated across dozens of others.

This, unfortunately, is the normal B2B reality. Clients have aliases, secretaries with forwarded mailboxes, mailing lists, contact forms, third-party platforms sending on their behalf, and more.

Forwarding is the rule, not the exception. And for Saleshero, who closes business meetings and sends proposals via email, deliverability is directly tied to revenue.

THE PROCESS

Step-by-Step Resolution

Saleshero went from identification of the problem to final resolution in just 5 steps, powered by DMARCeye monitoring, with full visibility and control throughout the entire process.

 

STEP 1

Identification in DMARCeye. In the drilldown for saleshero.cz, we saw that emails were signed with the default gappssmtp.com key, which doesn’t align with the From domain.

STEP 2

Custom DKIM key generation. In the Google Workspace admin console we generated a 2048-bit DKIM key directly for the saleshero.cz domain.

STEP 3

TXT record publication in DNS. We added the record for the selector google._domainkey.saleshero.cz at the DNS provider.

STEP 4

Activation of signing. After DNS propagation we enabled signing with the new DKIM key in Google Workspace, which retired the default key.

STEP 5

Verification in DMARCeye. On the very first day after activation, 675 emails went through Google with zero fails. In the following weeks, the fail rate stayed practically at zero.

TESTIMONIAL

Hidden Risk: Identified, Then Fixed

DMARCeye helped Saleshero uncover a hidden deliverability risk in Google Workspace and fix it beyond any doubt.

Before we started using DMARCeye, we had no idea we could even have a problem with DMARC. We assumed that since we use Google Workspace, everything DMARC-related was automatically taken care of. But it was a real surprise to find out that a meaningful share of our emails could end up somewhere other than our clients' inboxes. The key moment for us was bringing a DMARC monitoring service like DMARCeye into our tech stack—it's what helped us find the gap and close it.

1758127399783
Co-founder, Saleshero Alexander Raiman
KEY TAKEAWAY

The Hidden DKIM Problem in Google Workspace

DKIM in Google Workspace “works” out-of-the-box — Google always signs emails, whether you set up your own key or not. That’s the trap. The default key under the gappssmtp.com domain doesn’t pass DMARC alignment, so authentication of every email that hits a forwarder or a third-party service can fail.

In DMARC monitoring mode (p=none), nothing happens but monitoring. Emails are still delivered, and the problem remains hidden until Gmail or Yahoo start routing business messages to spam at scale.

For Saleshero, it took about two business days from problem identification to activation of their own DKIM key. Without DMARCeye, the issue would likely have only surfaced if a major client had said "I'm not getting your emails".