i´m trying to configure email comunications service but i not ablke to verify the dkim and dkim2 and i have already done everything describe for this ?

Question

when i´m trying to verify the dmim and dkim 2 always receive an alert and to configure again, the domain and spf are already verified, but all solutions describe on documents i have tried and still facing the same problem, do have any suggestion

Answer 1

Hi Salvador,

I assume this is for email.hiqi.eu, correct? If my assumption is correct, please add two new DNS records, as below:

Record type	Host	Value	TTL
CNAME	selector1-azurecomm-prod-net._domainkey.email	selector1-azurecomm-prod-net._domainkey.azurecomm.net	3600
CNAME	selector2-azurecomm-prod-net._domainkey.email	selector2-azurecomm-prod-net._domainkey.azurecomm.net	3600

After adding above DNS records, wait a minute or so and then check you are receiving proper DKIM TXT records using below nslookup commands:

nslookup -q=txt selector1-azurecomm-prod-net._domainkey.email.hiqi.eu
nslookup -q=txt selector2-azurecomm-prod-net._domainkey.email.hiqi.eu

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Answer 2

Hii @Salvador Lourenço

Thank you for reaching us about the issue configuring Azure Communication Services for email on the custom domain hiqi.eu.

DKIM and DKIM2 verification failures occur when Azure Email Communication Service cannot read the required DKIM CNAME records from DNS, even if the domain and SPF are already verified.

Please follow the below recommendations to resolve the issue:

1. Validate DKIM and DKIM2 CNAME records in DNS

Azure Email Communication Service requires two DKIM CNAME records (DKIM and DKIM2). These records must exactly match the values provided in the Azure portal, including:

• Correct selector name (for example: selector1-azurecomm-prod-net._domainkey)
• Correct target ending with .azurecomm.net
• No extra spaces, typos, or modified hostnames

If either CNAME record is missing or incorrect, Azure will not be able to verify DKIM or DKIM2.

2. Confirm DKIM records using nslookup
   It is recommended to validate DNS resolution before retrying verification:

nslookup -q=CNAME selector1-azurecomm-prod-net._domainkey.yourdomain.com
nslookup -q=CNAME selector2-azurecomm-prod-net._domainkey.yourdomain.com

If these commands do not return the expected CNAME targets, the service will not be able to complete DKIM/DKIM2 verification.

3. Ensure SPF uses a hard fail (-all)
   SPF must be configured as:
   v=spf1 include:spf.protection.outlook.com -all

Using a soft fail (~all) instead of a hard fail (-all) can prevent sender authentication from completing properly and may affect DKIM validation status.

4. Wait for DNS propagation and retry verification

Microsoft notes that DNS propagation delays or DNS‑provider behavior can cause repeated verification failures. Verification should only be retried after DNS records are resolvable via lookup tools.

Reference:
https://learn.microsoft.com/en-us/azure/communication-services/concepts/email/email-domain-configuration-troubleshooting
https://learn.microsoft.com/en-us/azure/communication-services/concepts/email/email-domain-and-sender-authentication
Kindly let us know if the above helps or you need further assistance on this issue.

Please "accept" if the information helped you. This will help us and others in the community as well.

Answer 3

DKIM and DKIM2 verification failures in Azure Email Communication Service are almost always due to missing or incorrect CNAME records in DNS. Use the following checks to isolate the issue.

1. Confirm the DKIM/DKIM2 CNAME records in DNS

• In your DNS provider, there must be two CNAME records for the custom domain, for example:
  • selector1-azurecomm-prod-net._domainkey.yourdomain.com
  • selector2-azurecomm-prod-net._domainkey.yourdomain.com
• The exact host names and targets are shown in the Azure portal when configuring the domain. Make sure they are copied exactly (no extra spaces, no missing -azurecomm-prod-net, correct domain suffix).

2. Verify the records with nslookup Run these commands from a Windows command prompt (replace contoso.com with your domain):

nslookup
set q=TXT
selector1-azurecomm-prod-net._domainkey.contoso.com
selector2-azurecomm-prod-net._domainkey.contoso.com

• If the DKIM record is failing, use selector1.
• If DKIM2 is failing, use selector2.
• Expected result: the query returns the CNAME DKIM records for your custom domain.
• If nslookup does not return the CNAME records, Azure Email Communication Service cannot verify DKIM/DKIM2. In that case:
  • Fix the CNAME names/targets in your DNS provider.
  • Wait for DNS propagation (can take some time depending on TTL) and run nslookup again until the records appear.

3. Re-run verification in Azure after DNS is correct

• Only after nslookup shows the correct CNAME records should the DKIM/DKIM2 verification be retried in the Azure portal.
• If nslookup output matches the expected CNAMEs, Azure Email Communication Service should successfully verify DKIM and DKIM2.

4. Double-check SPF is in the correct form (already verified but important)

• SPF record for the domain should be:

    v=spf1 include:spf.protection.outlook.com -all
  

• If SPF uses ~all instead of -all, Azure Communication Services considers SPF verification failed, which can block full domain enablement.

If after these checks nslookup still does not show the DKIM CNAMEs, the issue is with the DNS provider configuration (wrong zone, wrong record type, or not yet propagated). Azure cannot verify DKIM/DKIM2 until those records are visible via DNS.

---

References:

• Troubleshooting domain configuration issues
• Best practices for sender authentication support
• Set up DMARC to validate the From address domain for cloud senders
• Email authentication in cloud organizations
• Security Operations guide for email authentication in Microsoft 365
• Fix NDR error "550 5.7.515" in Outlook.com