Skip to main content

Microsoft Azure Communication Services:

Challenges, Solutions, and Best Practices
Introduction
Email remains one of the most widely used communication channels across businesses, enterprises, and service providers. While it is simple to use on the surface, the underlying configurations and authentication mechanisms are highly complex. Misconfigurations in email domains often lead to issues such as delivery failures, security vulnerabilities, or worse—exposure to spoofing and phishing attacks.

Microsoft Azure Communication Services (ACS) provides organizations with an integrated platform to send email, SMS, voice, and other communication services at scale. One of the critical aspects of using ACS for email is setting up a custom domain so that emails appear professional (e.g., from support@companyname.com) instead of generic service domains.

However, configuring a custom domain in ACS for email delivery requires a precise DNS setup. This includes implementing authentication protocols such as SPF, DKIM, and DMARC to ensure mail deliverability and protect against spoofing.

In this report, we will walk through the challenges encountered during the setup of an Azure Communication Service custom domain for email, how these challenges were resolved, and finally, provide a step-by-step solution guide. We will also highlight best practices for long-term reliability and security.

Why Custom Domains Matter

When organizations rely on Azure Communication Services for sending email, using a custom domain has several advantages:

  1. Professional Branding – Emails appear to come from yourcompany.com rather than a generic Azure domain.

  2. Improved Deliverability – Emails sent with proper DNS authentication (SPF, DKIM, DMARC) are less likely to be flagged as spam.

  3. Security – Reduces the risk of spoofing and impersonation attacks targeting your domain.

  4. Compliance – Many industries require authenticated custom domains for regulatory compliance.

Initial Setup: The Mistake of Using the Main Domain

The initial setup of the Azure Communication Service custom email domain was configured using the main domain (e.g., companyname.com). While this is technically possible, it is considered bad practice.

Why Using the Main Domain is Risky

  • DNS Record Conflicts: The main domain is often tied to multiple services (website hosting, Office 365 email, APIs, etc.). Adding ACS email DNS entries may conflict with existing records.

  • Reputation Risk: If ACS sends bulk email and one campaign is flagged as spam, the reputation of the main domain (companyname.com) could be negatively affected across all services.

  • Limited Flexibility: Subdomains allow more granular control and isolation of services. For example, transactional emails could come from notify.companyname.com, while marketing emails could come from promo.companyname.com.

The Correct Approach: Subdomain

To avoid these issues, the setup was corrected by moving from the main domain to a dedicated subdomain such as:

  • abc.companyname.com

  • mail.companyname.com

  • notify.companyname.com

This approach isolates email services, prevents conflicts, and protects the primary domain’s reputation.

Authentication Protocols in Focus

When setting up email authentication for Azure Communication Service, three main protocols need to be considered:

1. SPF (Sender Policy Framework)

SPF ensures that only authorized mail servers can send emails on behalf of your domain. It works by checking the SPF DNS TXT record during email delivery.

In our case, the SPF record was configured correctly and the status showed:
SPF Status: Passed

This confirmed that the subdomain was authorized to send mail via Azure Communication Service.

2. DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to each email, allowing the recipient’s server to verify that the message was not altered in transit. It requires publishing a DKIM public key in the domain’s DNS records.

In our case:
DKIM Status: Not Configured

3. DKIM2 (Second DKIM Selector)

Some providers, including Microsoft, require a second DKIM selector (selector2) as a backup or for rolling key changes. This ensures continuous authentication even if the first DKIM key is rotated.

In our case:
DKIM2 Status: Not Configured

4. DMARC (Recommended)

While not explicitly shown in the challenge report, DMARC is the next layer of protection. It works alongside SPF and DKIM, allowing domain owners to specify how mail servers should handle emails that fail authentication (reject, quarantine, or allow).


Challenges Encountered

During the setup process, the following challenges were observed:

  1. Main Domain Misuse – Initially configured on the main domain, which introduced potential risks and conflicts.

  2. SPF Propagation Issues – SPF passed only after updating the DNS records with the correct subdomain entry.

  3. DKIM and DKIM2 Missing – Without DKIM signatures, emails may pass SPF but still be flagged as suspicious.

  4. Testing and Verification Delays – DNS changes often take hours to propagate globally, making troubleshooting slower.

Solution: Step-by-Step Guide

Here is the complete step-by-step solution to properly configure a custom domain with subdomain in Azure Communication Service for email, including SPF, DKIM, and DKIM2.

Step 1: Prepare Your Subdomain

  1. Choose a dedicated subdomain for email (e.g., abc.companyname.com).

  2. In Azure Communication Service, add this subdomain under Custom Domains for Email.

  3. Azure will generate the required DNS records for verification.

Step 2: Configure SPF Record

  1. Log in to your DNS provider (e.g., GoDaddy, Cloudflare, Azure DNS).

  2. Create or update the SPF TXT record for the subdomain. Example:

    Name: abc.companyname.com
    Type: TXT
    Value: v=spf1 include:spf.protection.outlook.com include:spf.acs.azure.com -all
    TTL: 3600
  3. Wait for DNS propagation (usually 30 minutes to a few hours).

  4. Test SPF configuration using tools like:

Once done, SPF should show Passed.

Step 3: Configure DKIM Record

  1. In Azure, locate the DKIM keys generated for your subdomain. They will look like:

    • selector1._domainkey.abc.companyname.com

    • selector2._domainkey.abc.companyname.com

  2. Add CNAME records in your DNS provider:

    Name: selector1._domainkey.abc.companyname.com
    Type: CNAME
    Value: selector1-abc-companyname-com._domainkey.<region>.azurecomm.net
    TTL: 3600
    Name: selector2._domainkey.abc.companyname.com
    Type: CNAME
    Value: selector2-abc-companyname-com._domainkey.<region>.azurecomm.net
    TTL: 3600
  3. Save changes and wait for propagation.

  4. Enable DKIM in Azure Communication Service portal for the subdomain.

Once complete, both DKIM and DKIM2 should show as Configured.

Step 4: (Optional but Recommended) Configure DMARC

  1. Create a new TXT record in DNS:

    Name: _dmarc.abc.companyname.com
    Type: TXT
    Value: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@companyname.com; ruf=mailto:dmarc-failures@companyname.com; sp=quarantine; aspf=s
    TTL: 3600
  2. Adjust the policy (p=) as needed:

    • none → Monitor only

    • quarantine → Send suspicious emails to spam

    • reject → Block suspicious emails completely

With DMARC in place, you gain full visibility into authentication failures.

Step 5: Verify Configuration

  • Use MXToolbox DKIM Lookup to verify DKIM keys.

  • Use nslookup or dig commands to check DNS entries.

  • Send test emails to Gmail, Outlook, and Yahoo to confirm inbox placement.

Step 6: Monitor and Maintain

  • Regularly review SPF and DKIM logs.

  • Rotate DKIM keys at least once a year.

  • Update SPF records if you add/remove mail services.

  • Monitor DMARC reports for spoofing attempts.

Best Practices

  1. Always Use Subdomains – Never risk your main domain reputation.

  2. Keep SPF Records Clean – Avoid “too many lookups” errors (max 10).

  3. Rotate DKIM Keys – Rotate every 6–12 months.

  4. Start with DMARC “none” – Gradually move to “reject” after monitoring.

  5. Test Before Production – Use sandbox/test accounts before live rollout.

Conclusion

Configuring Azure Communication Service with a custom subdomain for email is crucial for deliverability, security, and brand reputation. While the initial setup mistakenly used the main domain, moving to a subdomain (abc.companyname.com) solved multiple risks.

The solution required:

  • Adding SPF records ( Passed).

  • Configuring DKIM and DKIM2 records ( Initially missing, fixed via DNS CNAMEs).

  • Adding DMARC for long-term protection.

By following the step-by-step guide above, organizations can ensure that their Azure-hosted email is properly authenticated, trusted by recipients, and safeguarded against spoofing.

Ultimately, good email hygiene with SPF, DKIM, and DMARC not only prevents fraud but also ensures your emails reliably reach the inbox—protecting your brand and your customers.

Popular posts from this blog

The Cloud Incumbent: AWS Bedrock Hosts Every Frontier Model and Amazon Is Betting on Neutrality

The Cloud Incumbent: AWS Bedrock Hosts Every Frontier Model and Amazon Is Betting on Neutrality AWS at $37.6 billion quarterly revenue, growing 28%. $13 billion invested in Anthropic. A $100 billion Anthropic-to-AWS commitment. Trainium with $225 billion in customer revenue commitments. The most quietly powerful AI strategy in the race. By Francis Avorgbedor | Azure Engineer  ·  July 4, 2026  ·  14 min read  ·  Amazon · AWS · Cloud AI 74 SEVENAI Momentum Score — Rank #5 $37.6B AWS Q1 2026 revenue — 28% YoY growth ▲ Fastest in 15 quarters $13B Total Amazon investment in Anthropic to date ▲ Strategic anchor 100K+ Customers running Claude on AWS Bedrock ▲ Distribution moat Amazon's AI strategy is built on a thesis that every other Magnificent Seven company is testing against — and that Amazon is uniquely positioned to win regardless of the outcome. The thesis is neutrality. In a race where Microsoft has bet on OpenAI, Google has bet on Gemini, and Meta has bet...

The Importance of Content Marketing in 2026: Building Trust, Driving Leads and Growing Your Business

 The Importance of Content Marketing in 2026: Building Trust, Driving Leads and Growing Your Business Content marketing is not a passing trend – it has become the backbone of modern marketing and sales strategies. Companies that consistently educate and engage their audience with blogs, videos , podcasts and other formats are seeing measurable results in brand awareness, lead generation and revenue. By 2026, content marketing is no longer optional: over 82 % of companies use it and more than 54 % plan to increase their investment . In today’s competitive landscape, high‑quality, customer‑focused content builds trust, attracts qualified prospects and nurtures loyalty throughout the buyer journey. Pervasive adoption and why it matters Widespread usage: Research shows that 73 % of B2B marketers and 70 % of B2C marketers include content marketing in their strategies . Within organisations, dedicated content teams are becoming the norm; 73 % of major o...

How to Reset an Azure Virtual Machine to Factory Settings Using a Managed Disk

How to Reset an Azure Virtual Machine to Factory Settings Using a Managed Disk Azure does not have a single "factory reset" button. What it does have is something better: the OS Disk Swap — a method that swaps out the corrupted or misconfigured OS disk for a clean Windows Server managed disk without deleting the VM, its NICs, its IP addresses, or any attached data disks. Here is how it works, when to use it, and the exact steps to execute it safely. FA Francis Avorgbedor Azure Engineer July 16, 2026 15 min read Azure VMs · Windows Server · Real-World Fix 3 Methods to achieve a clean Windows Server installation on an existing Azure VM ~15min Typical OS Disk Swap duration — VM retains its NICs, IPs, and data disks throughout 0 Data disks affected by an OS Disk Swap — data disks remain attached and untouched 1 Snapshot of the original OS disk you must take before starting — no exceptions Introduction Why Azure Does Not Have a Simple Factory Reset — and What to Do Instead On a ph...
  A slow or unstable internet connection can be incredibly frustrating, but many common issues can be resolved with a bit of troubleshooting. This guide will walk you through a series of steps to diagnose and fix your internet connection. Step 1: Basic Checks & Restarting Your Equipment Often, the simplest solutions are the most effective. Check Cables:  Ensure all cables connected to your modem and router are securely plugged in. This includes the power cables, the Ethernet cable connecting your modem to your router (if you have separate devices), and the cable coming from your internet service provider (ISP) – usually coaxial or fiber optic. Restart Your Modem and Router:  This is the golden rule of internet troubleshooting. Unplug  both your modem and router from their power sources. Wait for at least  30 seconds . This allows the devices to fully power down and clear their temporary ...

Can I Update My Old Computer to Windows 11 — and How Much Will It Cost?

Can I Update My Old Computer to Windows 11 — and How Much Will It Cost? Your i7, 16GB RAM, 512GB SSD machine is powerful enough to run Windows 11 comfortably. The TPM 2.0 and Secure Boot wall is a security checkbox, not a performance ceiling. Here are two proven ways to get past it, what each one costs, and what you are trading away by doing so. $0 Cost of the Windows 11 licence if your existing Windows 10 is genuine — the upgrade remains free in 2026 2 Proven methods to bypass TPM 2.0 and Secure Boot — Rufus (easy) and Registry edit (manual) 25H2 Current Windows 11 version — all known bypass methods tested and confirmed working as of July 2026 Oct 2025 Windows 10 end of life — no more security updates. Staying on Windows 10 now carries real risk. First — Check Your BIOS Before Anything Else You Might Not Actually Need a Bypass Before running any bypass, open your BIOS and look at two settings. Many computers that fail the Windows 11 compatibility check have TPM 2.0 present in the hard...

Azure Files vs Azure NetApp Files: Which One Should You Choose?

Azure Files vs Azure NetApp Files: Which One Should You Choose? Performance tiers, protocol support, dual-protocol capability, pricing models, SAP/Oracle/HPC suitability, data management features, and the decision framework that maps each workload type to the right service — with step-by-step setup procedures for both. FA Francis Avorgbedor Azure Engineer July 15, 2026 20 min read Azure Storage · Architecture 4 Azure Files tiers: Premium SSD, Standard Hot, Cool, Tx Optimized 3 ANF performance tiers: Standard, Premium, Ultra — all SSD-backed 4TiB ANF minimum provisioning — significant cost floor for small workloads Dual ANF serves the same data via SMB and NFS simultaneously — AF cannot Introduction Two Services, One Surface Area — Completely Different Purposes Microsoft offers two fully managed, enterprise-grade file storage services in Azure. They share a surface area — both serve file shares over standard protocols, both run on managed infrastructure, and both integrate with Microsof...
 Digital Marketing Trends and Strategies for SMBs in 2026 Small and mid‑sized businesses (SMBs) are competing in an environment where digital marketing changes faster than ever. The rise of artificial intelligence (AI), voice search and social commerce are reshaping how customers discover, evaluate and purchase products. To succeed, SMBs must understand the trends shaping 2026 and implement strategies that build trust, visibility and conversion—without breaking the budget. AI becomes the backbone of digital marketing AI‑driven personalization is now standard. Advances in machine learning mean even small businesses can personalize messaging at scale. Twilio’s research shows that 92 % of companies use AI‑driven personalization to drive growth . AI tools automate tasks like content creation, segmentation and performance analysis, freeing owners to focus on strategy . AI marketing tools are accessible. According to a U.S. Chamber of Commerce report cited by Thryv, 58...
 Social Media Monetization for Beginners Social media platforms offer numerous avenues for monetization, even for beginners without specialized skills. The key lies in understanding different strategies, creating valuable and authentic content, and consistently engaging with an audience. Here are the primary ways one can monetize social media: • Direct Monetization Methods     ◦ Sponsored Posts and Brand Partnerships: Once you build a decent following, companies will pay you to promote their products or services through your posts, stories, or videos. These often involve a fixed fee per post or campaign and require you to demonstrate influence and an active community. It's crucial to promote products you genuinely like and to be transparent with disclosures about paid partnerships.     ◦ Affiliate Marketing: This involves promoting other companies' products or services using unique links. You earn a commission when someone makes a purchase through your link. Pla...
Creating user profiles for Entra-joined Azure Virtual Desktops (AVD) primarily involves configuring FSLogix Profile Containers . This ensures that user profiles are portable and persistent across sessions, even though the session hosts are Entra-joined. Here's a step-by-step guide: Step 1: Prepare Your Storage for FSLogix Profiles You'll need a file share that can be accessed by your AVD session hosts and where user profile disks will be stored. Azure Files is a common and recommended solution for this. Create an Azure Storage Account : Go to the Azure portal, search for "Storage accounts," and click "Create." Choose your subscription and resource group. Give it a unique name (e.g., avdprofilesstorage). Select a region. For performance, consider "Premium" with "File shares" as the account kind, or "Standard" with "ZRS" or "GRS"...
Building Online Presence : A Skill-Free Income Guide Building a strong online presence is fundamental for generating income without prior skills, and it involves several key strategies, from mindset to practical execution. Foundational Mindset Shifts for Success Developing the right mindset is the starting point for building an online presence, influencing your motivation and ability to overcome challenges. • Embrace Learning and Adaptability Your ability to succeed online without specific skills starts with believing that change is possible and that you can learn as you go. The digital world changes rapidly, so being open to trying new methods and adapting your approach is crucial to keep moving forward. • Persistence Over Perfection View setbacks as opportunities to learn rather than failures, which helps build resilience. Recognize that success comes from persistence, not perfection. Small, consistent wins build confidence. • Focus on What You Control Concentrate on your effort, att...