Generate a set a exim4 configuration files that work this in way.:
Given two sets of servers, servers A and servers M, email generated from servers A (of which there's many of them) must be sent via servers M, and from servers M sent to Google Apps for final delivery.
Obviously the point is that only the servers in the M set actually have Google App's credentials.
The servers M must verify that the email comes from servers A (we'll tell the winner how to tell that this is indeed the case).
DKIM, SPF, etc, are in place and they must continue to be in place but of course would be adjusted as needed. Same as Google Apps configuration.