The add, revalidate, and remove buttons are grayed out and not available in the update email domains section of the Cloud Detector after migration from Forwarding mode to Reflecting mode.

Even though all of the associated DNS text records are confirmed to be in place.

Please see Email domains in "Reconcile" status in your Enforce Server for guidance on the associated text record or the Symantec DLP Cloud Service for Email Implementation Guide for your respective version.

Release : 15.7

Component :

Symantec messaging gateway allows the usage of wildcard domains.

E.g., 

*.example.com

Enforce management of the domains does not allow for wild card domains, and it is not required.

If example.com is authorized with the appropriate text record in place then any subdomains of the authorized domains will also be authorized.

E.g.,

If example.com is authorized, then so is mail.example.com so the usage of the wildcard is unnecessary and is not supported.

Please log a support case and ask for the wildcard domains to be manually removed from the Cloud Detector.

After removal is confirmed by support restart the Symantec DLP Detection Controller Service.

Please note it may take some time before the settings are synchronized from the Cloud Detector back to Enforce.

You will also need to make sure that you have no other transport rules or unique environment variables on the MTA that use this functionality.