Share via

DMARC Verification Stuck at “NotStarted” for Azure Communication Services Custom Email Domain

Sudhanshu Shekhar 25 Reputation points
2026-05-11T10:08:00.6966667+00:00

We are configuring Azure Communication Services (ACS) Email with a custom domain and are facing an issue specifically with DMARC verification.

What We Have Done

  • Created a custom domain in ACS Email
  • Added all required DNS records as provided by Azure:
    • Domain TXT
      • SPF
        • DKIM
          • DKIM2
            • DMARC
            • DNS records are added at our DNS provider and are publicly resolvable
            • SPF, DKIM, and DKIM2 show as Verified successfully

DMARC Issue

Even after more than one week, the DMARC status remains NotStarted in the Azure Portal.

  • Under Verification status, DMARC shows NotStarted
  • Under Verification records, the DMARC DNS value is blank (---)

DMARC Record Added in DNS

We have added the following DMARC TXT record at the DNS level:

Type: TXT
Host/Name: _dmarc
Value: v=DMARC1; p=quarantine; adkim=r; aspf=r; rua=mailto:******@onsecureserver.net;

This record is present and visible when checked via external DNS lookup tools.

Concern / Questions

  1. Why does ACS Email show DMARC as NotStarted, even though the DMARC TXT record exists and DNS has propagated?
  2. Is DMARC optional for ACS Email, or is there a specific format/value required by Azure?
  3. Does ACS expect DMARC only for reporting/visibility and not for verification?
  4. Is it expected that the DMARC verification record is blank in the portal?
  5. Are there any known issues or additional steps required for DMARC verification in ACS?

Impact

Because DMARC remains unverified / not started:

  • We are unsure if DMARC is correctly recognized by ACS
  • This creates ambiguity around email authentication and deliverability

Any guidance, clarification, or confirmation from the community or Microsoft team would be greatly appreciated.

Thanks in advance!

Azure Communication Services

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Golla Venkata Pavani 5,480 Reputation points Microsoft External Staff Moderator
    2026-05-11T11:12:31.6266667+00:00

    Hi @Sudhanshu Shekhar ,

    Thank you for reaching us regarding the issue.

    DMARC in Azure Communication Services (ACS) Email is treated as a best practice rather than a core automated verification requirement like Domain ownership, SPF, or DKIM.
    For custom verified domains in ACS focuses on these required steps:- Domain ownership verification - via a TXT record (ms-domain-verification=...).

    • Sender authentication - via SPF (TXT record) and DKIM (two CNAME records, often called DKIM and DKIM2).

    DMARC is not listed as a mandatory verification record in the primary quickstart or configuration docs.

    1. Why does ACS Email show DMARC as NotStarted, even though the DMARC TXT record exists and DNS has propagated?
      ACS portal verification primarily polls for the records it requires for sending (Domain + SPF + DKIM). DMARC status often stays NotStarted / blank because it is not actively verified the same way. Your externally visible DMARC record is what matters for receivers (Gmail, Outlook, etc.).
    2. Is DMARC optional for ACS Email, or is there a specific format/value required by Azure?
      Yes for basic sending capability in ACS. SPF + DKIM + domain verification are sufficient for the service to allow sending. DMARC is strongly recommended for deliverability.
    3. Does ACS expect DMARC only for reporting/visibility and not for verification?
      No specific DMARC value is enforced by ACS. Use standard formats. Your record is valid: v=DMARC1; p=quarantine; adkim=r; aspf=r; rua=mailto:... , recommends including at least a rua= reporting address and progressing toward p=reject.
    4. Is it expected that the DMARC verification record is blank in the portal?
      This is commonly reported and expected behavior when DMARC is not part of the core automated checks.
    5. Are there any known issues or additional steps required for DMARC verification in ACS?
    • You can try initiating verification via CLI/API with --verification-type DMARC, but many users report it returns errors or has no effect (backend support appears limited).
    • Ensure the record name is exactly _dmarc (with underscore).
    • No further action is required for ACS to start sending.

    Reference:
    https://learn.microsoft.com/en-us/azure/communication-services/concepts/email/email-authentication-best-practice
    https://learn.microsoft.com/en-us/azure/communication-services/concepts/email/prepare-email-communication-resource
    https://learn.microsoft.com/en-us/azure/communication-services/quickstarts/email/add-custom-verified-domains

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "accept" if the information helped you. This will help us and others in the community as well.

    Was this answer helpful?

  2. AI answer

    2026-05-11T10:08:19.93+00:00

    DMARC status and behavior in Azure Communication Services (ACS) Email are different from SPF/DKIM in the portal and do not block sending when SPF and DKIM are correctly configured.

    1. Reason DMARC shows NotStarted and blank verification record

    ACS Email explicitly guides configuration and verification for:

    • Domain TXT (ownership)
    • SPF
    • DKIM (and DKIM2)

    DMARC is part of overall email-authentication best practices, but ACS does not expose a dedicated DMARC verification workflow or a DMARC-specific verification token/record in the portal. As a result:

    • The DMARC “verification status” remaining NotStarted and
    • The DMARC “verification record” appearing as blank (---)

    are expected behaviors when the service does not manage or validate a DMARC token the same way it does for SPF/DKIM. The portal focuses on SPF and DKIM for sender authentication; DMARC is evaluated by receiving systems based on DNS, not by ACS itself.

    1. Whether DMARC is required vs. optional for ACS Email

    For ACS Email custom domains:

    • SPF and DKIM are the primary, ACS-managed authentication mechanisms. ACS provides explicit DNS values and verifies them.
    • DMARC is strongly recommended but functionally optional from ACS’s perspective.

    The best-practices guidance for email authentication describes DMARC as a DNS TXT record that:

    • Validates the origin of email messages by checking SPF/DKIM alignment.
    • Lets the domain owner specify a policy (p=reject or p=quarantine) and reporting addresses (rua, etc.).

    However, this guidance does not state that ACS requires a specific DMARC token or that ACS will mark DMARC as “Verified” in the same way as SPF/DKIM. Instead, DMARC is a receiver-side control: destination email systems use the DMARC record that exists in DNS to decide how to handle messages.

    1. Whether ACS expects a specific DMARC format/value

    The DMARC record format is governed by the DMARC standard (RFC 7489). The best-practice guidance recommends:

    • Using p=reject where possible, otherwise p=quarantine.
    • Treating p=none, sp=none, and pct<100 as transitional.
    • Including at least a rua tag for aggregate reports.

    The example configuration used (v=DMARC1; p=quarantine; adkim=r; aspf=r; rua=mailto:...) follows the standard pattern. The ACS documentation does not require a proprietary DMARC value or ACS-specific tag, and it does not provide a DMARC token to copy.

    Therefore, as long as the DMARC TXT record is correctly published and visible in public DNS, receiving mail systems will honor it, regardless of the NotStarted indicator in the ACS portal.

    1. Whether DMARC is used only for reporting/visibility by ACS

    DMARC is primarily consumed by receiving email systems, not by ACS as the sender. The ACS pipeline focuses on ensuring that:

    • SPF is correctly configured for the custom domain.
    • DKIM is correctly configured and used to sign outbound mail.

    Once SPF and DKIM are in place, DMARC is what receiving systems use to:

    • Check alignment between SPF/DKIM and the visible From domain.
    • Apply the policy (p=quarantine or p=reject) to failing messages.

    ACS does not need to “verify” DMARC to send authenticated mail; instead, DMARC operates as a DNS-based policy that receivers evaluate.

    1. Known behavior and additional steps

    From the available guidance:

    • ACS Email requires configuration and verification of SPF and DKIM for custom domains.
    • DMARC is recommended as part of overall email-authentication best practices but is not surfaced with a dedicated verification token or status in ACS.
    • A DMARC TXT record must be published in the authoritative DNS zone for the domain; once present, it is used by receiving systems, independent of ACS portal status.

    No additional ACS-specific steps are documented for DMARC beyond publishing a valid DMARC TXT record in DNS.

    Practical implications for the described setup:

    • SPF, DKIM, and DKIM2 being Verified indicates that ACS is correctly configured for sender authentication.
    • The DMARC TXT record that is publicly visible will be honored by receiving mail systems, even though ACS shows NotStarted and no DMARC verification record.
    • Email deliverability and authentication will depend on how receivers evaluate SPF, DKIM, and DMARC, not on the DMARC status indicator in the ACS portal.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.