ACS Email Domain Verification Stuck at “NotStarted” Despite Correct DNS

Glenn Jones 0 Reputation points
2026-07-02T10:49:23.2866667+00:00

I’m trying to verify a domain for Azure Communication Services Email. The TXT verification record shows Verified, but SPF, DKIM, and DMARC have been stuck at NotStarted for more than 24 hours.

All DNS records are present, valid, and globally propagated. I’ve confirmed:

TXT verification record is correct

SPF record is valid

DKIM selectors are published

DMARC record is published

No duplicate SPF records

No conflicting DKIM/DMARC records

This appears to match the known ACS backend verification cache issue where the domain verification state becomes stuck even with correct DNS.

Could a Microsoft engineer please review this and refresh the backend verification state for my ACS Email domain? I can provide the domain privately if needed.

Thank you.

Azure Communication Services

1 answer

Sort by: Most helpful
  1. AI answer

    2026-07-02T10:49:36.55+00:00

    Backend verification state for Azure Communication Services Email domains can’t be manually refreshed by customers; when DNS is correct but ACS still shows SPF/DKIM as not verified or NotStarted, the supported path is to:

    1. Reconfirm DNS in the authoritative zone
      • Use nslookup or an authoritative DNS lookup tool to ensure ACS can see the records, not just public resolvers.
      • For the TXT verification record:
             nslookup -q=TXT YourCustomDomain.com
        
        Confirm the ms-domain-verification=... TXT record is present.
      • For SPF:
             nslookup -q=TXT YourCustomDomain.com
        
        Ensure the SPF TXT record matches the value from the ACS portal, typically:
             v=spf1 include:spf.protection.outlook.com -all
        
        Azure Email Communication Service requires -all; if the record uses ~all, SPF verification fails.
      • For DKIM/DKIM2:
             nslookup
             set q=TXT
             selector1-azurecomm-prod-net._domainkey.YourCustomDomain.com
             selector2-azurecomm-prod-net._domainkey.YourCustomDomain.com
        
        Confirm the CNAMEs resolve to the Azure Communication Services DKIM endpoints.
    2. Ensure records were added exactly as provided by ACS
      • In the ACS Email resource, under Provision Domains:
        • Confirm Domain Status is Verified.
        • Use Configure to copy the exact SPF TXT and DKIM/DKIM2 CNAME records.
        • Add them at the correct zone level in the authoritative DNS (registrar or DNS host). If the domain uses Microsoft nameservers, records must be added in Microsoft 365 DNS, not only at the registrar.
      • Wait at least 15–30 minutes after changes, then use Next → Done in the ACS portal to trigger verification.
    3. If SPF/DKIM remain stuck despite correct DNS
      • The documentation only describes DNS-based causes (missing records, wrong -all vs ~all, wrong zone) and does not expose any customer-accessible way to clear backend cache or force re-verification beyond the portal’s Next/Done flow.
      • When authoritative DNS lookup confirms all required TXT and CNAME records and ACS still shows NotStarted or fails to move to Enabled after the documented verification steps, the next step is to open a support case with Microsoft Azure Support so engineering can inspect and correct the backend state.

    Because backend cache or verification-state issues are not self-service, a Microsoft engineer must handle them via support tooling. Provide the ACS Email resource details, region, and the exact domain name in the support ticket (not publicly), along with DNS lookup outputs showing the TXT/SPF/DKIM records.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.