You need to be able to add your Microsoft "onmicrosoft.com" domain to the Cloud Service for Email

book

Article ID: 206244

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Package

Issue/Introduction

You are using the DLP Cloud Service for Email and need to add your Microsoft administrative domain (i.e., "domain.onmicrosoft.com") to the listed of Validated Domains for your Detector.

You need to know how to get the required TXT record for this domain updated, since you don't own the "onmicrosoft.com" domain.

 

Cause

In order to add any domains to the DLP configuration, you need to be able to add a specific domain validation code as a TXT record for the domain.

 

 

Environment

Release : 15.7

Component :

This solution is only required if both of the following are true:

  1. You are using the DLP Cloud Service for Email in O365 Reflecting mode (message sent back to O365 after DLP inspection is complete).
  2. You have set "domain.onmicrosoft.com" (instead of "domain.com") as the primary domain in O365 Admin Center.

Resolution

Using the O365 Admin Center, it is possible to add a specific TXT record as a "Custom" record for your domain.

  1. Login as an O365 Admin, and go to Domains > (choose the domain) > DNS records.
  2. Click "+Add record" to create a new Custom record.
  3. For "Name" enter an "@" symbol.
  4. The "value" should be your domainValidationCode as found in the Welcome Email for the Cloud Service for Email (it's also visible for the Detector entry in the Enforce Service UI).
  5. The TTL should be 1 Hour.

On saving the changes, wait for DNS to populate the update. This can be checked via NSLOOKUP of the TXT record, as we as via the MXTOOLBOX.com website.