If your company sends email through Google Workspace, some of your mail may be failing DMARC without anyone noticing, specifically the messages that get forwarded. The cause is a default DKIM key that Google signs with until you publish your own. This guide explains why it happens, how common it is, and how to fix it, using data from one of DMARCeye's clients as a real-life example.
Google Workspace always signs your outgoing mail with a DKIM signature, whether or not you have configured your own key. If you have not set one up, it signs with a default key on a Google technical domain, something like yourcompany.20230601.gappssmtp.com, instead of your own domain. Nothing looks wrong: the mail sends, and on direct delivery it usually passes.
DMARC passes only when the domain in the DKIM signature aligns with the domain your mail is actually from. The default Google key signs under gappssmtp.com while your mail is from your own domain, so it never aligns. On direct delivery, this goes unnoticed because SPF still passes. But, the moment a message is forwarded, SPF breaks, DKIM has nothing aligned to fall back on, and DMARC fails. The message can land in spam, and the sender never sees a bounce.
The stakes are higher than they used to be. Since Google and Yahoo tightened their bulk-sender requirements in 2024, a DMARC failure increasingly means landing in spam.
In DMARCeye's Q1 2026 dataset, roughly 11% of all Google-sent mail, about 1 in 9 messages, fails DKIM this same way. It almost always comes from the sender side, not Google, because someone never replaced the default key.
These figures come from DMARCeye's Q1 2026 industry report on the state of DMARC.
Saleshero is a B2B sales academy for smaller businesses and client of DMARCeye. It helps founders, CEOs, and sales teams grow - from setting up sales strategy, training sales teams, to long-term coaching of leaders. Their sales communication, follow-ups, and proposals all run through Google Workspace, so for Saleshero, deliverability directly impacts revenue.
Saleshero's DMARC reports showed the pattern plainly. Across Google sending, 1,109 of 8,216 messages were failing DMARC, for 86.5% compliance. On one recipient domain that forwarded mail to a personal Gmail, only 2.3% of messages passed.
Saleshero published their own DKIM key, and within about two business days the DMARC fail rate fell from 13.5% to 0.11%, with compliance reaching 99.9% and forwarded mail no longer failing. The weekly view from DMARCeye shows the turnaround: months of failures, then near zero the week the new key went live.
"We assumed that since we use Google Workspace, everything DMARC-related was automatically taken care of. It was a real surprise to find out that a meaningful share of our emails could end up somewhere other than our clients' inboxes."
Alexander Raiman
Co-founder, Saleshero
See the full numbers and timeline in the Saleshero case study.
The fix is to publish your own DKIM key so Google signs under your domain instead of the default Google domain.
If you want to handle this yourself, the setup lives in your Google Admin console and takes a few minutes plus one DNS change:
gappssmtp.com one.Step two needs access to your domain's DNS. If you do not manage that yourself, which is common for marketing teams, pass it to whoever does: your IT team, your web host, or whoever set up your domain.
Google's official walkthrough has the full detail: Turn on DKIM for your domain.
If you send through Google Workspace and have never published your own DKIM key, it is worth seeing what your domain looks like right now.
The DIY route works, but publishing the key was never the hard part. The hard part is knowing the gap is there in the first place, and catching the next one before it costs you a deal.
That is where DMARCeye comes in. It reads your DMARC reports and turns them into plain guidance: it shows where your email authentication is failing, explains why, and tells you the exact next step to fix it. A gap like the default Google key shows up on its own, and DMARCeye keeps watching so the next misconfiguration appears while it is still invisible to everyone else.