Validation state keeps being pending

Question

Validation state keeps being pending

Emil Paaske Kvandal 40

We continue to experience, that when we are generating TXT records for the domains, that we host using frontdoor, they keep getting stuck in the "pending" state (not all the time, it just happens a lot).

Even though, we can see that the TXT record is present, when using tools like nslookup or mxtoolbox.

Is this really just frontdoor that does some caching of some kind, and never actually validate the TXT record's value, that is present on the domain?

If not, is there something that we can do to prevent this, or to try and mitigate the times it will happen in the future?

Emil Paaske Kvandal 40 Reputation points

2026-03-13T09:52:02.2333333+00:00

Hello @Vallepu Venkateswarlu

The domain were not validated correctly, as its state still were in pending.
The customer changed the TXT record, at tuesday, and the correct key & value were used for the record, i did use both dnschecker.org and digwebinterface, and got the same result that the record had reached around the world.

So it should not be a DNS propagation issue.

I did choose to regenerate the value for that domain, as we still need the certificates issued for that domain, but is it something that frontdoor does it self, were it caches a result, and never re-checks the domain after a certain period?
Vallepu Venkateswarlu 6,555 Reputation points Microsoft External Staff Moderator

2026-03-13T11:47:12.8733333+00:00

Hi @ Emil Paaske Kvandal,

Thanks for the response.

If the TXT records are added correctly and are visible in DNS (for example, verified using the Dig Web Interface), please wait up to 24 hours for validation to complete. If the issue still persists, consider deleting the domain from Azure Front Door and adding it again with a newly generated TXT record.
Emil Paaske Kvandal 40 Reputation points

2026-03-13T11:53:23.4633333+00:00

Hello @Vallepu Venkateswarlu

The newly generated TXT record did go through within an hour of generating (and inserting it).

This is something that we know, and already do, though we a courious if there is something that we can do to mitigate this, as it creates a bad experience for the customers who already have inserted the record, and thinking everything is good, and we only get notified when the user either has problem accessing their site or if they have enough "technical" expertise, to do the lookups them selves and notice that there is something wrong.

So just to summaries it, the question is about what we could do to mitigate this (if there is anything that we can do)

Thanks for the replies.
Vallepu Venkateswarlu 6,555 Reputation points Microsoft External Staff Moderator

2026-03-13T14:50:40.6533333+00:00

Hi @ Emil Paaske Kvandal,

Yes, I understand your problem.

DNS propagation may take up to 24 hours. If the issue still persists, ask them to delete the record and regenerate the TXT record by following the Microsoft documentation. If they are not technical experts in Azure, anyone can do it using the Azure portal.

Ref: Associate the custom domain with your Front Door

2 answers

Your answer

Emil Paaske Kvandal 40 Reputation points

2026-03-13T09:52:02.2333333+00:00

Hello @Vallepu Venkateswarlu

The domain were not validated correctly, as its state still were in pending.
The customer changed the TXT record, at tuesday, and the correct key & value were used for the record, i did use both dnschecker.org and digwebinterface, and got the same result that the record had reached around the world.

So it should not be a DNS propagation issue.

I did choose to regenerate the value for that domain, as we still need the certificates issued for that domain, but is it something that frontdoor does it self, were it caches a result, and never re-checks the domain after a certain period?
Vallepu Venkateswarlu 6,555 Reputation points Microsoft External Staff Moderator

2026-03-13T11:47:12.8733333+00:00

Hi @ Emil Paaske Kvandal,

Thanks for the response.

If the TXT records are added correctly and are visible in DNS (for example, verified using the Dig Web Interface), please wait up to 24 hours for validation to complete. If the issue still persists, consider deleting the domain from Azure Front Door and adding it again with a newly generated TXT record.
Emil Paaske Kvandal 40 Reputation points

2026-03-13T11:53:23.4633333+00:00

Hello @Vallepu Venkateswarlu

The newly generated TXT record did go through within an hour of generating (and inserting it).

This is something that we know, and already do, though we a courious if there is something that we can do to mitigate this, as it creates a bad experience for the customers who already have inserted the record, and thinking everything is good, and we only get notified when the user either has problem accessing their site or if they have enough "technical" expertise, to do the lookups them selves and notice that there is something wrong.

So just to summaries it, the question is about what we could do to mitigate this (if there is anything that we can do)

Thanks for the replies.
Vallepu Venkateswarlu 6,555 Reputation points Microsoft External Staff Moderator

2026-03-13T14:50:40.6533333+00:00

Hi @ Emil Paaske Kvandal,

Yes, I understand your problem.

DNS propagation may take up to 24 hours. If the issue still persists, ask them to delete the record and regenerate the TXT record by following the Microsoft documentation. If they are not technical experts in Azure, anyone can do it using the Azure portal.

Ref: Associate the custom domain with your Front Door

Answer 1

Hello Emil Paaske Kvandal

You can resolve the issue by deleting the CNAME, adding the www TXT manually, and once it’s validated, deleting the TXT and re-adding the CNAME. This process will work

Meantime,

Firstly, Why Pending can hang around?

when you add the _dnsauth.<subdomain> TXT record, Front Door polls every few minutes but will cache the last lookup result for up to one hour.
Even if external tools (nslookup, dig) see the new value immediately, Front Door may still hold the old (or no-record) result until its next re-check and cache-expire cycle.

What you can do to mitigate it

Consider lowering the DNS TTL for your TXT record. If possible, set the TXT record’s TTL to 300 seconds (5 minutes) or, at most, 3600 seconds (1 hour). This helps changes propagate more quickly and ensures that Front Door’s cache expires sooner.
It’s best to pre-provision the TXT record in your DNS before clicking “Add custom domain.” By having the correct TXT record in place first, the initial Front Door domain check will recognize the valid record right away.
If you need to, you can automate or script the “Regenerate validation token” process. Regenerating the token creates a new TXT value and clears Front Door’s old cache entry. You can use tools like Azure CLI or ARM calls (such as az network front-door custom-domain regenerate-validation-token) to detect when a domain is stuck in a pending state and trigger a regeneration automatically.
Whenever possible, use Azure DNS. Azure DNS usually offers predictable propagation times and TTL behavior.

Usually Pending clears in under 24 hours. If it still shows Pending after 24 hours with the correct TXT in place, you can delete the custom domain from Front Door and add it back (which also kicks off a fresh validation cycle).

Hope that helps!

Reference:

How Domain validation works

Configure a custom domain on Azure Front Door by using the Azure portal

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Answer 2

Hi @ Emil Paaske Kvandal,

Welcome to Microsoft Q&A Platform.

Please ensure that the domain has been validated correctly, especially since you have already regenerated the TXT record.

Check DNS propagation: Make sure the TXT record has fully propagated across DNS servers.
Verify the record format: Ensure the TXT record is added in the correct format, for example _dnsauth.

You can verify the DNS propagation using the following tool: https://www.digwebinterface.com/

This can help confirm whether the TXT record is visible publicly. In most cases, validation happens within a few minutes, although it may sometimes take up to 24 hours depending on DNS propagation.

After adding the TXT record, return to the Azure Front Door portal. The service will automatically check the DNS records and validate the custom domain. Once the validation succeeds, the status should change from “Pending” to **“Validated.”

If you’re using an AFD-managed certificate, the validation process includes both DNS ownership verification and certificate provisioning. If the certificate issuance (via DigiCert, Azure’s partner) is delayed, it can keep the domain in a “Pending” state.

Action: In the Azure portal, check the certificate status under the Front Door’s Custom Domain settings. If it is stuck, try disabling and re-enabling the custom domain, and then regenerate the TXT record.

For additional guidance, please refer to the documentation: https://learn.microsoft.com/en-us/azure/frontdoor/domain#txt-record-validation

Additionally, you can try deleting the domain from Front Door and re-adding it with a freshly generated TXT record. It sometimes resets the process properly. Based on your domain we have suggested to use Custom domain instead of default domain.

DNS propagation may take up to 24 hours. If the issue still persists, ask them to delete the record and regenerate the TXT record by following the Microsoft documentation. If they are not technical experts in Azure, anyone can do it using the Azure portal.

Refer :https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-add-custom-domain

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Validation state keeps being pending

2 answers

Your answer