You are using the DLP Cloud Service for Email and find that in your Enforce Server, the email domains have been switched to "Reconcile" status.

There are no options to change these domains, because the tick boxes are greyed out and they cannot be selected for removal.

Release : 15.8, 16.X

Component : DLP Cloud Service for Email, in a Reflecting mode configuration (with M365 as downstream MTA)

As per this online guidance, adding email domains to your Cloud Service for Email requires you to take steps for validation: Adding the unique TXT record to your DNS settings (broadcom.com).

If you do not create the required TXT record prior to adding a domain to your Detector configuration in the Enforce Server, the domain will fail its validation and you will need to correct that before making further changes.

Email domain administation in the Enforce Server has the following possible states for each domain listed: 
------------------------------------------
Added - a domain in this status has been successfully validated and added to a configuration of "validatedDomains" at your Cloud Service for Email Detector.
Reconcile - a domain that was added via Enforce UI, but could not be validated (is missing the DLP TXT record) - this shows up in the "domains" list on the Cloud Service for Email Detector.
Removed - a domain that was previously added (validated or NOT) but since been removed from the Enforce UI.
Invalid domain - a domain that does not have a valid DLP TXT record (may also be a totally invalid domain, i.e., no DNS record at all). Domains marked as "Invalid" can be removed using the options in the UI.

Firstly, before trying to add new domains to the Enforce Server configuration for your Cloud Detector - ensure the TXT records are already updated as per our requirements outlined online.

When a domain marked as Invalid is selected for removal, it will temporarily change status to "marked for removal". When this is complete (can take ~5-15 minutes) it changes to Removed.
Domains in Removed status don't "go away" - that status remains displayed in the list of domains.

For issues where you can't add/remove any domains (several or all are in Reconcile status), try the following steps:

1. Recycle your Symantec DLP Detection Controller service - to do this via the UI, see Enabling Advanced Process Control (broadcom.com).
2. After the service comes back up, click on the "Revalidate" option.
3. This can take from 5 to 15 minutes; when this is complete, look for status updates as domains previously marked "Reconcile" change to "Invalid".
4. If domain moves from Reconcile to Invalid status, select the domain in the list and choose to option to Remove.
5. This again can take several minutes to refresh.
6. Re-check and repeat above steps as needed until all domains have moved to Removed status, and you can Add new ones.

In some cases, when all of your listed domains are in Reconcile status, you may be required to open a ticket with DLP Support.

Tips for working with domain validation: 

Use MX Lookup Tool - Check your DNS MX Records online - MxToolbox to verify domains have the required TXT record:

• The initial "MX" lookup confirms that valid DNS Records exist
• Changing to "TXT" lookup allows you to quickly verify the TXT record for DLP is present - the required TXT record is in your Enforce Server, on the Detector configuration page.

Ensure the SymantecDLPDetectionServerController service (aka "DSC") has a JavaHeap that is increased from default (as per KB Monitor Controller performance issues after adding new Detection Servers (broadcom.com)).