In order to aid against spoofing a Google Apps administrator can add message authentication to every email being delivered from Google Apps.  This involves using a private domain key to encrypt your domain's outgoing email headers.   A matching public key is gnerated, and added to your domains DNS settings.  Recipient servers can then retrieve the public key to decrypt the incoming headers and verify that the message comes from the proper location, and has not changed along the way.

Repeat these steps for each domain associated with your Google Apps account.

  1. Generate the public domain key for your domain.
  2. Add the key to your domain's DNS records so recipients can retrieve it for reading the DKIM header.
  3. Turn on email signing to begin adding the DKIM header to outgoing mail messages.