Reconcile errors prevent domain updates for Cloud Email Service in Enforce
Article ID: 175491
Updated On:
Products
Issue/Introduction
Users have tried adding new domains to those listed for a Cloud Service for Email detection server, but they are stuck in "RECONCILE" mode.
No new domains can be updated or deleted after this has occurred.
Environment
Cloud Service for Email, in O365 Reflecting mode
Cause
Firstly, only customers whose Cloud Email Service is for O365 in "Reflecting mode" have the option to update or modify domains in the Enforce console.
Customers with other configurations of their DLP Cloud Service are using Email Security.cloud (aka "MessageLabs") as their downstream MTA (e.g., O365 in Forwarding mode, or with a "hybrid" O365/Exchange setup, or who have Gmail integrated with their hosted email service). Those customers will need to follow instructions in TECH247444.
For customers of O365 Reflecting mode, there is a requirement to have a specific DNS Validation Code added as a TXT record for each domain that is monitored by the DLP Cloud Service. Details on setting this TXT record are found in the topic "Adding the unique TXT record to your DNS settings" in the online help.
Resolution
Take the following steps for successful validation:
- For O365 Reflecting mode customers, ensure that all domains showing in Enforce have the TXT records correctly updated - as per the process listed in "Adding the unique TXT record to your DNS settings". This can be verified via NSLOOKUP, with the "set q=txt" option. Domains which have the TXT record in the correct form will be validated by the DLP Cloud Service within ~ 24 hours of when they are first added.
- The DNS Code entry is case-sensitive. Based on prior casework, if any of the alphabetic characters are ub upper case, validation may fail. The TXT record should be updated to match the "DNS Validation Code" entry exactly.
Feedback
