In order to aid against spoofing a Google Apps administrator can add message authentication to every email being delivered from Google Apps. This involves using a private domain key to encrypt your domain's outgoing email headers. A matching public key is gnerated, and added to your domains DNS settings. Recipient servers can then retrieve the public key to decrypt the incoming headers and verify that the message comes from the proper location, and has not changed along the way.
Repeat these steps for each domain associated with your Google Apps account.