Privacy and security implications of using a custom domain for email

Introduction

Continuing my series of posts on email privacy and security, I wanted to discuss the second piece of advice offered by many people: having a custom domain for personal email. I will focus only on using a domain for everyday email or as an alias domain. Spoiler : I do believe custom domains have their applications for business or branding purposes (such as I have with my blog domain).

Privacy

Correlation

To begin, if you've ever done even a little bit of OSINT, you know that you can search for all accounts linked to a specific email address. This is one of the primary reasons why you might choose to use email aliases for every different website on which you register an account.

However, while you can search for a specific email address on those websites, you can also most of the time search by domain (examples of such sites include the biggest ones including dehashed, leakcheck, snusbase, etc.). This means that if you are the only one using a particular domain, even if you are using it for aliases, you are linking all of your accounts through the data point of your domain.

KYC

The second privacy concern is that if you do not want your domain to be locked (which you obviously don't want if you are using this domain for your accounts), you will need to comply with ICANN registration terms. The main issue here is that you will have to complete a KYC and give all of your personal informations in order to register your domain. You could input fake informations but you would take the risk of having your domain locked.

This issue can be addressed by using certain services like njal.la that register domains for you (which is what I use for this site), but you are still trusting one more intermediary than if you used your email provider’s domain. Nowadays, most registrars also offer WHOIS privacy services for free. However, as with every website, there is always a risk of a data breach, so I wouldn’t trust them with my personal information.

Security

First, if your domain gets stolen, it is unlikely that you will get it back, and if you do, your registrar may not be very secure (because anyone could make a fake id and get your domain). On the other hand, your email provider has their domain registered by their company and has access to every lawyer and public attention they would need to get their domain back in a matter of minutes.

Secondly, even if you set an alert for your domain’s expiration, you might forget and lose your domain. However, this is not really an issue if you are organized (this is an issue for me).

Using a custom domain can make you appear like a business or a serious person, which might be beneficial, but it could also make you seem strange and get your accounts locked on some services.

Domain prices changes, and the biggest problem is that once you have paid for a domain and used it for your accounts, you will likely need to keep it indefinitely if you want to keep your old accounts secure. Because someone could social engineer and get access to your account using an old email address it was registered on. So, if one day you can’t afford it, or forget about it, you might give someone access to all of your accounts.

Conclusion

My conclusion, like most of my posts (I know I am a little bit negative on this blog), is that this is not the best solution if you want to increase your privacy and/or security. However, using a custom domain might be convenient because if your email provider shuts down, you can easily move to another one. But if you choose an email provider with a good track record, this shouldn't be a significant concern. Custom domains are also useful for creating more professional-looking email addresses.

As always, I am more than happy to discuss my thoughts with anyone. If you have any arguments that I may have missed (which I’m sure there are plenty, as I wrote this in under 15 minutes after reading another Reddit post), I would appreciate hearing them. Thanks for reading :)