Sorry about the long post…
We are currently using Google Apps for Education and we need to archive our inbound/outbound email. I have setup two Postfix servers, one for inbound and one for outbound email and have setup my Google inbound and outbound gateways accordingly. Inbound is working great - email comes into Postfix, gets archived, then gets sent on to Google. However; the outbound gateway does not have any provisions for authentication, so I setup restictions on the outbound Postfix server to only accept email from our domain as well as the IP addresses from Google's SPF record. I have implemented DKIM signing on the Google side and setup DMARC as well. My concern is with spoofing of our domain coming into the outgoing Postfix server. My hope is to setup the outgoing server to only accept emails from our domain that have been signed, but I am not sure how to accomplish this. If I set DMARC to Reject, will the outgoing server reject unsigned email? Or is there somthing else that needs to be configured before DMARC/DKIM will work? I am not looking to sign the email, as that is already done by Google when the email is sent out.
Thanks in advance