Own Your Email Domain
60 points by uncenter
60 points by uncenter
One problem is that you are only renting the domain, so if you somehow forget to renew (credit card expires and is declined and/or you’re incapacitated at an unfortunate time), then your email can easily be taken over by malicious actors. This might even be more likely than Apple/Google canceling you.
Anyone able to suggest a mitigation for this?
Renew very well in advance? I believe some providers allow paying for several years, and because someone are relatively cheap, not too bad.
patio11 once advised to do stuff like this yearly, in order to make it into a yearly routine. To me that makes a lot of sense. So one time per year I renew all my domains, regardless of their expiry date. I have an item in my calendar to remind me.
Ah, I hadn’t seen a middle ground between single-year and perpetual domain registration (which is unreasonably expensive). I shouldn’t be surprised that exists.
One unsolicited piece of advice: stick to .com or your country’s own TLD because other ones seems to always be increasing prices after being bought by private equity.
Well, the old TLDs should be safe too- I don’t like .com for personal use, so I’d use .net or something like that.
A favorite hill of mine to die on is not using ccTLDs for cutesie purposes.
I think some of the newer non-ccTLDs are fine though, but it’s worth reading the fine print and who owns them.
I was bitten by this, after losing my .eu one. I’m not sure that my current somewhat-domain-hacky default one from a Pacific micronation is a good idea either, but I do have a .uk to fall back on at least.
Anyone able to suggest a mitigation for this?
If you’re able to become an internationally recognized country, you’ll get a ccTLD, and unlike domains or gTLDs, ICANN / registrars have no authority to take away a given domain that doesn’t pay… as long as you remain a country.
Have a good registrar and have it auto-pay. A good registrar will charge you a bit in advance of the actual expiration and let you know if there are issues. (I use namecheap, they’re not perfect but pretty ok.) You do want to have a separate email acct under a different domain, that domain- and hosting-related services can reach you at.
I’m not advertising Gandi here. Actually, I recommend against them. Gandi has been enshittified the last two years after they got bought up by some dutch private equity firm, which now wants their money back[1]. But I’m still using Gandi as my main registrar, even though I’m currently trying to move away from Gandi, however transferring my main domain between registrars scares the shit out of me.
To answer your original question, Gandi (and I would expect other registrar that I’m not aware of) has a way to auto-renew domains registration, and to give a cash advance. Some domains (.fr, hello!?!) only allow to renew every year, so you can use that to counteract these policies. You top up your Gandi “cash-advance” (I usually put ~€300), and you can set a threshold alert to send you an email when this pot of money reaches a certain amount. (I set it to ~€100, this is way above what I need to renew 2-3 domains) and Gandi will take money out of this fund to auto renew your domain(s). In theory you have ~2 years to act, because once a domain renewal brings you under €100, it will send you a warning email, but it’s still able to renew each domains 1 more time.
You can also use that to mitigate your death, you could put ~€1000 in advance, so that it will auto renew ~15 years before your domain expires. Hopefully most people will be aware that you’re dead 15 years after you’ve segfaulted. Scammers should be able to safely take over your domain and try to impersonate you without causing too much damage.
[1] I don’t want to link to the announcement on their website, see the last paragraph of the “History” section for https://en.wikipedia.org/w/index.php?title=Gandi&oldid=1277681932#History
I moved all of my domains from Gandi to Porkbun over the past year. It was trivial. Porkbun is cheaper and delightful after the years of Gandi’s slow decline.
Porkbun has been recommended many times to me, but I have this weird requirement that I want to use a European based registrar. I’ve been looking at BookMyName (which has been the main competitor of Gandi in France for many many years), but I haven’t taken the plunge yet :D
I might use Porkbun for my backup domains which I was describing in this other thread.
BookMyName
I was looking for a cost-effective European domain registrar to transfer my .me domain, which has traditionally been expensive. Thank you for your recommendation.
I can highly recommend Glauca Digital. Run by cool people.
I’ve never heard of them, reading their website it does look like people with the same mindset as me (no ai, runs on linux, ..). But unfortunately, it looks like they’re not ICANN accredited. I’m only looking for ICANN accredited registrars. But thanks for the recommendation, I’ll keep it in mind!
Allegedly, becoming “ICANN accredited” is five digits USD annually, which is an issue for a smaller registrar. But you didn’t hear that from me :)
I’m sure it’s part of it. But it also comes with certain procedures and requirements which guarantee a certain quality of service in case of edge-cases. Usually, your average user cannot test for these edge cases, so this is why I require ICANN accreditation :P
I get notified, multiple times, when my domain is about to expire, starting about 90 days prior. As @giffengrabber mentioned, I only renew for a year, and I’ve done this for the past 27 years now. Never had a problem.
Another benefit I’ve found of owning your own email domain is that you can create subdomains for friends/family and have them use their preferred email company. I did this for my girlfriend and it worked out great.
Purchase some longish period initially (3-5 years), set a calendar or other reminder and top up yearly, as if you had to renew yearly anyway.
I figure if I’m incapacitated for 5 years for some reason, a domain is the least of my worries
Yeah, clearly I didn’t understand that some registrars let you buy years in advance—I thought pricing uncertainty would prevent that. I do see personal domains lapse occasionally, though that is admittedly probably just for web hosting.
As per another comment, this thread just prompted my to bump my domain name from May 2029 expiry (paid in Nov 2019) to May 2034. $105 well spent.
Which registrar (and told) allows 10 years in advance?
I just asked Grok.
Most major domain name registries allow registration for up to 10 years in advance, as this is the maximum period set by ICANN for generic top-level domains (gTLDs) like .com, .net, .org, and many new gTLDs (e.g., .co, .io, .ai). However, some country-code top-level domains (ccTLDs) and specific registries may have shorter maximum registration periods, such as 1–3 years. Below is a breakdown based on available information:
Registries Allowing 10-Year Advance Registration
Generic Top-Level Domains (gTLDs):
.com: Managed by Verisign, allows registration up to 10 years.
.net: Also managed by Verisign, supports up to 10 years.
.org: Managed by the Public Interest Registry, permits up to 10 years.
.info, .biz, .co, .ai: These typically allow up to 10 years, though specific registry rules may vary. Confirm with the registrar.
Other gTLDs (e.g., .pro, .club, .online): Most new gTLDs managed by registries like Identity Digital or Donuts allow up to 10 years.
Registrars Supporting 10-Year Registration:
Many ICANN-accredited registrars, such as GoDaddy, Namecheap, Google Domains, Cloudflare, and Dynadot, support 10-year registration for gTLDs where the registry allows it. For example:
GoDaddy: Offers up to 10 years for most gTLDs like .com, .net, and .org.
Namecheap: Supports 10-year registration for .com and other eligible TLDs.
Dynadot: Allows up to 10 years for TLDs like .com, but notes not all TLDs permit this.
Cloudflare: Supports 10-year registration for compatible TLDs.
Users of this forum are capable of using AI ourselves if we want to, and if we wanted an AI response we would go to said AI, not post on this forum made for humans. Please do not uncritically post AI slop.
Also, .io and .ai are not “new gTLDs”, they’re both ccTLDs.
I’ve had hoult.org since May 2000 and it’s currently paid-up until May 2029 (which I did in Nov 2019 six months before it was due to expire).
Only four years to run now, maybe I should bump it out a bit again, just in case .. a few minutes later .. ok I just did … $105 to bump it by five years. For some reason bumping by six years was going to cost $225 so … no.
Whois double check .. yup “Registry Expiry Date: 2034-05-10”. Good.
Anyone able to suggest a mitigation for this?
There’s a whole bunch of other reasons you might lose access to a domain, and not all of them can be effectively mitigated.
If you signed your mail with PGP keys you control, you can add multiple UIDs to your key, to cross-link separate identities. That could be a way of bridging from a domain you lose access to.
Someone picking up a domain you used to “own” could receive mail destined for you, and send mail appearing to be from you. The only robust mitigations for those problems are again, PGP or similar.
For domain expiration in general:
Some registrars will allow you to set multiple payment methods, in case your primary one fails.
Most domains can be pre-paid for ten years.
Be sure to use a domain registrar that doesn’t suck. For instance, Network Solutions, in addition to charging you way more than normal, charge extra for security. Also, many businesses add things in the name of security that actually make things worse. Telephone based authentication is an excellent example.
Find a registrar that doesn’t think they’re clever by forcing people to add a phone number to your account, for example.
I’ve been doing this for 15 years, and I totally agree with this write-up.
What the article doesn’t mention is that gmail, icloud, instagram, twitter … are all name registries as well, but they’re severely under-regulated compared to domain registrars. There are multiple court cases (in the US and in Europe) that ruled that users were entitled to their domain names as long as they paid for it. However I remember reading about a case where some business relied on an instagram url (which is also a name registry) and the ruling was that instagram could do whatever they want with their URLs, one is not entitled to a record in their name registry. This article only mentions the risk of providers shutting down, but you’re also running the risk of providers just unilaterally canceling your right to your name record in their database.
Even though I advocate for people owning their email domain, there is one caveat, which is what I call “the self dependency problem”. For example, the day you loose your domain through no fault of your own and without your authorization, there is no way to verify your identity… Your identity was your email, and your email domain is not under your control anymore, and your registrar only communicate with you through this email, which you cant access because your registrar needs to solve the issue, etc.
I’ve been thinking of creating a backup example2.com for my domain example.com, and manage each domain through two registrars, and have a circular dependency. It’s still on my TODO list, but now I’m managing 3 registrars… (I already use an anonymous registrar for domains I don’t want to be linked to me for privacy reason.) And two registrar is already a high cognitive load for me.
For posterity, if you want to use a personal Gmail account but start using a custom domain for forwarding/send-as, the process is not straightforward at all due to auth. Here is how I did it:
I fixed this by:
Why do this? There’s no way (AFAIK) to bulk import email from a personal Gmail account to a Workspace account. I have email going back decades, from when Gmail required an invite. I have no interest in forking my inbox between that and a Workspace one.
Why do this? There’s no way (AFAIK) to bulk import email from a personal Gmail account to a Workspace account
I believe imapsync can do this. It’s in their FAQ at least.
I know that auth for gmail has changed a bit as of late, so actually authing imapsync to the accounts might be a bit of a hassle, but I also know it’s still possible to auth to em for imap clients.
Honestly, just logging into both of them with thunderbird and doing a big drag+drop probably would work too.
imapsync works with my old (A.D. 2008 era) Gmail account just fine. I move the few emails to my other provider every few weeks.
Yeah, looks like it might work, but the linked blog posts (admittedly over a decade old each) both mentioned that the process needed babysitting, e.g.
You will almost certainly have to run the imapsync command multiple times before all of your mail is transferred, unless you have just a few emails to begin with. I had to run it probably 20-50 times to get everything transferred (about 450MB). Imapsync exits every once in a while for whatever reason - maybe the IMAP servers kick it off when they get tired of it.
I’ve not got time for that! I’ve got kids! XD
Gotta get this pedanticism off my chest:
MX- Tells email clients which mail servers to use when sending email to your email domain.
MX email servers where to deliver email. Email clients might use SRV records or some web based autoconfig method, but likely you have to configure it all yourself.
CNAME- Used to provide advanced email features like DKIM.
DKIM uses TXT records, do people actually create such long CNAME chains for that?
I use CNAMEs for DKIM all the time because it makes my life so much easier. Right now, I’m using Fastmail for my primary email and they rotate DKIM signatures every couple of months last time I checked, so using long CNAMEs is the only elegant way to have up to date DKIM signatures without rotating TXT records manually.
Long CNAMEs are annoying but in this day and age that’s not really a problem for me now that we have nice tools for DNS record management, such as Octodns or the less known but equally good DNSControl that I’m using.
Coincidentally I was doing some research about this yesterday.
For my email address, I use a domain owned by my brother (surname.net). He set it up with DreamHost eons ago and sometimes he considers moving his stuff (he also hosts a Wordpress blog and few other odds and ends).
I was looking at European email providers at European alternatives, and just two caught my eye.
I already knew about Migadu, which I really like except for the really steep jump from their 90$/yr to their 290$/yr tier. (I would like to have the feature to host some more email addresses for other people. I have about 2-3gb of email, so 30gb could be a little bit short?) I pointed Migadu to other people and they seemed to be very happy with them.
eclipso seemed to be the other provider that could be suitable for my purposes, but their website put me a bit off (some stuff is German-only?)…
I’m seriously tempted to use YunoHost or something like that- I tested their email functionality and it was pretty nice, and I would likely go with AWS SES for SMTP, which I expect would work well enough.
90$/yr to their 290$/yr
Shocking, any $5/month VPS host will give you a cpanel interface with idk 99 allowed email addresses. Or have I just been grandfathered in so deeply?
You’re paying for them to actually care about your email routing and backups. With a VPS you have to handle that. With a cPanel host, email isn’t the core business either.
Any suggestions? Mostly “shared hosting” packages tend to skimp a bit on space and features. OVH is not well-known for shared hosting, but for example although 5gb of email would be enough for me, it’s a bit tight.
I’m mostly in an exploratory phase. I kinda like European Alternatives for my purposes, and I’m willing to spend a bit more for a “reputable” provider that’s been around for a while.
Is there a good solution to own my domain but retain the privacy benefits of Hide My Email?
I really enjoy the Hide My Email feature from iCloud+. I find it valuable to have a different email for each website, so I can reduce the chance that I can be cross-correlated across different websites.
If I use my own email domain, though, then it’s obvious I am the same entity on all these websites because the domain would be unique.
I use wildcard addresses. lobste.rs@ki9.us for this site. It’s obvious to a human that I am ki9 and all those email addresses are the same person but data brokers and password sprayers really have no idea.
I used to do this, it was cool to have my username as my email south at cla.ws but I ran into issues with deliverability, the thought that maybe one day western samoa could cease to exist or change the rules on who can own .ws domains and google workspace being a little strange in terms of behaviour when it came to consumer products given it was a “business” context (I wish they provided personal account custom domains) particularly with things like google photos.
ultimately, I decided the maintenance burden wasn’t worth it and moved back to my original gmail account. i figured the likelihood of them deleting me was low.
This is a practice I follow myself, but it raises the question on when you shouldn’t use the email address at your domain.
At the very least, you shouldn’t use @yourdomain.com for the domain registrar, in case the domain lapses and you can’t log in!
There’s also the many services that offer OpenID (“sign in with Google” or equivalents). I’ve tended to just use gmail for these cases, but it does lead to inconsistency in email logins.
This article seems to only talk about renting the domain and using it with e.g. ProtonMail, so it isn’t really “owning” your email (well, the title did say “own your email domain”). If you really want to own all your email, you’ll want to setup something like Postfix to go along with it.
With that out of the way, pretty good blog post that explains the benefits of owning the email domain ^^
Case in point: a couple days ago I decided I’m tired of my email provider’s jank and wanted to switch. Thanks to all my email addresses being on my own domain, the process went smooth as butter—set the custom domain up in the new provider’s settings, update DNS records to point to the new provider’s servers, and there, Bob’s your uncle.
For example, given the email address [email protected] the email domain is example.com.
Aaaa.
Or, you know, you could self-host your mail. inb4 “it won’t get through”: if you do stuff correctly, (not hard with OpenSMTPd) and relay some stuff (looking at you M$ and Google) through a “reputable” source it just werks.
Bonus points: controlling my own spam filtering (rpamd) allows to block or entirely drop A LOT of the spam that is getting through in gmail (which I suspect Google just doesn’t care about or profits off of).