Instead, add the required Office 365 values to the current record so that you have a single SPF record that includes both sets of values. You might already have other strings in the TXT value for this record (such as strings for marketing email), which is fine.
Leave those strings in place and add this one, placing double-quotes around each string to separate them.
All of the servers for these records were reimaged around the same time. It turns out whenever a computer is brought onto a domain and registers it’s DNS record, reimaged or the OS is just reinstalled without removing the DNS record nor removing the AD computer account as part of the process problems can crop up.
In my case, the DNS record still had an orphaned SID.
If you’re going to repurpose a name it’s best practice to simply remove the computer from the domain and delete the DNS record and then reinstall the OS.
However, if you’re in a large enterprise and don’t have this scripted it can’t be forgotten. I have this script setup under a scheduled task running every day.
When it finds the correct TXT record, the domain is verified.
Note: Typically it takes about 15 minutes for DNS changes to take effect.
No one could figure out a pattern or timeline as to when or why this was happening.
After a ton of research and troubleshooting I believe I have at least discovered all of the root causes. One of the problems I was seeing was that the permissions on the records that were created via the Microsoft dynamic DNS process were hosed up.
Go back to Office 365 and follow the steps below to request a verification check.
The check looks for the TXT record you added in the previous step.
Power Shell allows you to not only manage your DNS records from the command line but also to take those commands and put them into a script to automate all kinds of time-consuming tasks.