You want to add new domains to your Cloud Service for Email configuration, and wish to know more about how these are verified.

Cloud Service for Email - applies to customers using the Cloud Service for Email in O365 Reflecting mode

As per documentation* you know that any new domains you wish to add to the Cloud Service need to be verified via a TXT record ID that is created on each domain.

Adding the unique TXT record to your DNS settings

Enforce will send the list of domains to the Cloud Service when any of the following occur:

1. A domain(s) is added in Enforce
2. The Revalidate button is clicked in Enforce
3. The DetectionServerController service (aka Monitor Controller) undergoes a restart

As per documentation, a TXT record containing the DLP Validation Code should be created in advance for any domains you plan to add to your service.

Domain Validation is performed by the Cloud Service.

1. Basically, Enforce sends the list of all the domains that are added to the Cloud Detector configuration.
2. Cloud Service validates every domain - this requires DNS resolution to be successful, on a global level.
3. It will update a Validated Domains setting at the Detector with the list of all valid domains.
4. It then sends a report back to Enforce.
5. Enforce marks the domains as “Validated”.
6. If the TXT record for a domain cannot be resolved, it will be removed from the Validated Domains list at the Detector, and send an instruction to set the Enforce Server to "Reconcile" mode.

Domain Hosting providers hold the key to ensuring that their customer’s configuration is resolvable (by the global DNS system) without errors.

If the DLP Cloud Service does not get a valid response back for a domain from DNS, it retries multiple times.

If errors are encountered 4 times, the system will mark that domain as invalid.