An Azure communication platform for deploying applications across devices and platforms.
Backend verification state for Azure Communication Services Email domains can’t be manually refreshed by customers; when DNS is correct but ACS still shows SPF/DKIM as not verified or NotStarted, the supported path is to:
- Reconfirm DNS in the authoritative zone
- Use
nslookupor an authoritative DNS lookup tool to ensure ACS can see the records, not just public resolvers. - For the TXT verification record:
Confirm thenslookup -q=TXT YourCustomDomain.comms-domain-verification=...TXT record is present. - For SPF:
Ensure the SPF TXT record matches the value from the ACS portal, typically:nslookup -q=TXT YourCustomDomain.com
Azure Email Communication Service requiresv=spf1 include:spf.protection.outlook.com -all-all; if the record uses~all, SPF verification fails. - For DKIM/DKIM2:
Confirm the CNAMEs resolve to the Azure Communication Services DKIM endpoints.nslookup set q=TXT selector1-azurecomm-prod-net._domainkey.YourCustomDomain.com selector2-azurecomm-prod-net._domainkey.YourCustomDomain.com
- Use
- Ensure records were added exactly as provided by ACS
- In the ACS Email resource, under Provision Domains:
- Confirm Domain Status is
Verified. - Use Configure to copy the exact SPF TXT and DKIM/DKIM2 CNAME records.
- Add them at the correct zone level in the authoritative DNS (registrar or DNS host). If the domain uses Microsoft nameservers, records must be added in Microsoft 365 DNS, not only at the registrar.
- Confirm Domain Status is
- Wait at least 15–30 minutes after changes, then use Next → Done in the ACS portal to trigger verification.
- In the ACS Email resource, under Provision Domains:
- If SPF/DKIM remain stuck despite correct DNS
- The documentation only describes DNS-based causes (missing records, wrong
-allvs~all, wrong zone) and does not expose any customer-accessible way to clear backend cache or force re-verification beyond the portal’s Next/Done flow. - When authoritative DNS lookup confirms all required TXT and CNAME records and ACS still shows
NotStartedor fails to move toEnabledafter the documented verification steps, the next step is to open a support case with Microsoft Azure Support so engineering can inspect and correct the backend state.
- The documentation only describes DNS-based causes (missing records, wrong
Because backend cache or verification-state issues are not self-service, a Microsoft engineer must handle them via support tooling. Provide the ACS Email resource details, region, and the exact domain name in the support ticket (not publicly), along with DNS lookup outputs showing the TXT/SPF/DKIM records.
References: