Is email at your own domain really safer?

[TenFour]

While reading the comments on an ArsTechnica article on the ending of free G Suite accounts I noticed someone's tale of having his domain stolen from his registrar and losing control over everything: websites, email, etc. A lot of people argue that using a free service like Gmail or Outlook.com is less secure because you might just lose access to your account for unknown reasons, but they say if you own your own domain you could then move your email to another provider. However, reading about someone having their domain stolen (they said ICANN was no help in retrieving it) made me realize how much depends on the security of your domain registrar. Thoughts? Ars Technica article: https://arstechnica.com/gadgets/2022...&post=40615794

[FredOnline]

I assume you're referring to the 'Skeppy' post?

It reads a bit strange to me - he/she appears to have knowledge of what hackers do, yet has his/her domain at a registrar without 2FA?

You can only make things (domains, bank accounts, cars, houses) as secure as you possibly can but there's no 100% guarantee you won't lose any of them.

[TenFour]

Quote:

I assume you're referring to the 'Skeppy' post?

Yes, the Skeppy post. Sure, there is never 100% security in anything, but with email do you think having it via your own domain is safer than using say Gmail?

I doubt most smaller email providers have the security systems in place that Gmail has, and the same probably goes for many domain registrars. But, probably the #1 way of losing control over either a free Gmail account or your domain email is via some sort of social engineering attack, as illustrated by this article concerning attacks on domain owners: https://domainnamewire.com/2022/01/2...ata-goes-away/

[FredOnline]

Quote:

Originally Posted by TenFour

Sure, there is never 100% security in anything, but with email do you think having it via your own domain is safer than using say Gmail?

I would think that with your own domain, any hacker would have to be able to access both your e-mail account and your domain registrar's account?

I think if you take your security seriously, you would be very unlucky to lose access to both accounts.

Edit: Here's a reminder of what happened to Fastmail, in 2014:

https://fastmail.blog/historical/whe...is-not-enough/

[TenFour]

Quote:

you would be very unlucky to lose access to both accounts.

If your domain is taken over your email is taken over too because they can just change the DNS, The Fastmail account is interesting because it illustrates how a larger company like that has many more resources to protect their domains. What if instead it was one of us and we received a clever phishing email with a fake unsubscribe link that is actually a phishing attack? I'm naturally a very suspicious person, but I have some employees who have responded to classic phishing attacks and even mailed attempts. My work domain gets targeted fairly frequently.

[FredOnline]

Quote:

Originally Posted by TenFour

If your domain is taken over your email is taken over too because they can just change the DNS

At least if your e-mail account is still secure, you may have proof of services purchased (e-mails from your registrar with invoices, dates, etc) that would (hopefully) assist in getting the domain back.

Without access to your registrar and e-mail accounts, you're right up that well known creek!

[TenFour]

Quote:

At least if your e-mail account is still secure, you may have proof of services purchased (e-mails from your registrar with invoices, dates, etc) that would (hopefully) assist in getting the domain back.

Right, but while you're fighting to get your domain back they have changed the routing on all your email and can see any password resets you are requesting, etc., and you might not be able to reset some things without access to emails going to that address. My domain registrar does send me an email every time I login to the account, so hopefully if I saw one of those in time and knew it wasn't me I would be able to quickly contact the registrar, etc. but I wouldn't count on being faster than a good thief. The email might arrive in the middle of my night while I am asleep, for example.

[floatinghermit]

I feel that having your own domain IS safer, for a few reasons.

1) It's officially yours. Sure, there may be cases where it gets stolen but at least you have options (like suing after paying a lawyer $10,000. Not an ideal choice, but still better than using a service in which you don't OWN the account)
2) You should always have 2FA. Always.
3) If you feel gmail is more secure than a nameless registrar, why not use google domains? It'll have the same high security that gmail has, and you get both advantages.
3b) Don't use a nameless registrar. Don't use EIG.
4) It is easier to secure one domain account with extreme security measures than to protect multiple accounts.

[TenFour]

Quote:

It's officially yours. Sure, there may be cases where it gets stolen but at least you have options (like suing after paying a lawyer $10,000. Not an ideal choice, but still better than using a service in which you don't OWN the account)

Personally, I'm more worried about the email accounts that would be stolen if the domain was stolen. They would gain access to lots of valuable data that they could then try to leverage to get into your bank accounts, credit cards, etc. I read about people using email services like ProtonMail to have end-to-end encryption, etc., but how secure is their domain provider? People often bolt the front door, have security cameras there, then leave a bathroom window open in the back.

[jeffpan]

Owned domains + forwarded to gmail by cloudflare + sent via pobox SMTP
This combination works perfectly for all my domains.

[TenFour]

Quote:

Owned domains + forwarded to gmail by cloudflare + sent via pobox SMTP

Why don't you use POBox.com for the forwarding too?

[jeffpan]

Quote:

Originally Posted by TenFour

Why don't you use POBox.com for the forwarding too?

1. Their Customer Support sucks for adding or removing domains, every request 2+ dsys to get response
2. Pobox basic plan is very weak for multiple mailboxes controls. You can’t forward different email to different mailboxes.

[TenFour]

I had the exact same problems with POBox.com! Except one of my domain changes resulted in weeks of fruitless customer service back and forth that prompted me to stop using them entirely. One other problem for me was that I found it tedious logging in to check out what their spam filters had caught, and frequently there were emails there that I wanted to see. Otherwise, their service worked well if the features suit you.

However, I feel that utilizing multiple services to send and receive your emails opens up multiple possible security problems. Each service has somewhat different security and you have to be certain to keep multiple services up to date with things like recovery phone number and email address changes. That's one problem with domain email--you usually have at least two different services to monitor and make sure they are secure.

I don't typically need to go to my domain registrar's site very often, and quite a few times when I do after several months of not needing to I have found that I forgot to update my contact email or phone number or address or some other critical piece of data. I move around a lot so these things have changed a lot for me.