One of our websites has been running on a server without a SSL certificate, we have installed the SSL certificate and are planning to 301 redirect the http to https.
The spammers are not actually using your domain to send the messages. They are spoofing the return address on the email message to make it appear as if the message originated from your domain. There is nothing you can do to prevent the spammers from spoofing your domain, but you can create an SPF record for your domain that many mail servers will check to determine whether or not the message originated from an authorized mail server (see the Google Apps Administrator link for more details on SPF records). This solution is not perfect because it depends on the receiving mail servers to check SPF records (which of course not all of them do). https://support.google.com/a/answer/33786?hl=en