Spammers can forge the From address on mail messages so that the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google Apps enables you to add a digital "signature" to the header of mail messages sent from your domain. Recipients can check the domain signature to verify that the message really comes from your domain and that it has not been changed along the way. (If your domain has an SPF record, recipients can also verify that the message came from an authorized mail server.)

Google Apps' digital signature conforms to the DomainKeys Identified Mail (DKIM) standard. To add a digital signature to outgoing mail, you generate a 1024-bit domain key that Google Apps uses to create signed mail headers that are unique to your domain. You add the public key to the Domain Name System (DNS) records for your domain. Recipients can verify the source of a mail message by retrieving your public key and using it to confirm your signature.

If you already have a DKIM domain key for your domain — for example, if your legacy mail server signs outgoing mail — you need to generate a separate key for Google Apps to use. The Google Apps domain key is distinguished from any other key by a string known as a selector prefix. The selector prefix for the Google Apps domain key is "google" by default, but you can enter a new selector prefix when you generate the key.

There are three major steps required to add the DKIM signature to outgoing mail:

• Generate the domain key for your domain
   
• Add the public domain key to the DNS records for your domain using a TXT record so that recipients can retrieve it for reading the DKIM header
   
• Turn on authentication to begin adding the DKIM header to outgoing mail messages
  

If you have multiple domains associated with your Google Apps account, you need to repeat these steps for each domain.

See SPF records and Understanding DMARC for other anti-spoofing measures available to you through Google.