Google has added support for DomainKeys Identified Mail (DKIM) in Google Apps. This adds one additional layer of authentication to prevent forged or spoofed mail which could appear to come from your domain. This is an excellent compliment to having DNS SPF records.
Spammers can forge the From address on mail messages so that the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google Apps enables you to add a digital “signature” to the header of mail messages sent from your domain. Recipients can check the domain signature to verify that the message really comes from your domain and that it has not been changed along the way. (If your domain has an SPF record, recipients can also verify that the message came from an authorized mail server.)
Set up consists of generating the key and adding it to your DNS records as a TXT entry.
To activate DKIM authentication for your domain email, sign into your Google Apps dashboard and go to Advanced tools. You should see a heading Authenticate email.
For more information, see Google Apps Administrator Help > Authenticate email with a domain key.