You are using the DLP Cloud Service for Email and find that in your Enforce Server, the email domains have been switched to "Reconcile" status.
There are no options to change these domains, because the tick boxes are greyed out and they cannot be selected for removal.
Release : 15.8
Component : DLP Cloud Service for Email, in a Reflecting mode configuration (with M365 as downstream MTA)
As per this online guidance, adding email domains to your Cloud Service for Email requires you to take steps for validation: Adding the unique TXT record to your DNS settings (broadcom.com).
If you do not create the required TXT record prior to adding a domain to your Detector configuration in the Enforce Server, the domain will fail its validation and you will need to correct that before making further changes.
Email domain administation in the Enforce Server has the following possible states for each domain listed:
Added - a domain in this status has been successfully validated and added to a configuration of "validatedDomains" at your Cloud Service for Email Detector.
Reconcile - a domain that was added via Enforce UI, but could not be validated (is missing the DLP TXT record) - this shows up in the "domains" list on the Cloud Service for Email Detector.
Removed - a domain that was previously added (validated or NOT) but since been removed from the Enforce UI.
Invalid domain - a domain that does not have a valid DLP TXT record (may also be a totally invalid domain, i.e., no DNS record at all). Domains marked as "Invalid" can be removed using the options in the UI.
Firstly, before trying to add new domains to the Enforce Server configuration for your Cloud Detector - ensure the TXT records are already updated as per our requirements outlined online.
When a domain marked as Invalid is selected for removal, it will temporarily change status to "marked for removal". When this is complete (can take ~5-15 minutes) it changes to Removed.
Domains in Removed status don't "go away" - that status remains displayed in the list of domains.
For issues where you can't add/remove any domains (several or all are in Reconcile status), try the following steps:
In some cases, when all of your listed domains are in Reconcile status, you may be required to open a ticket with DLP Support.
Tips for working with domain validation:
Use MX Lookup Tool - Check your DNS MX Records online - MxToolbox to verify domains have the required TXT record:
Ensure the SymantecDLPDetectionServerController service (aka "DSC") has a JavaHeap that is increased from default (as per KB Monitor Controller performance issues after adding new Detection Servers (broadcom.com)).