IT.COM

Best practices for your registrant contact email address?

NameSilo
Watch
Impact
9
I'm curious what the best practices are with regards to email addresses for your registrant contact and registrar accounts.

Let's say my name is John Doe, and I use [email protected] as my primary email address.

If someone were able to get access to the domain name (e.g. through social engineering my registrar) they could change the MX records such that I would not be notified of any transfers, etc.

Similarly, if I've enabled Registry Lock and I mess up my DNS records. I might be unable to verify my identity as I'd be unable to receive any emails related to that verification.

So it seems to me I'd be better of using a generic email provider like Gmail and just use [email protected] for my registrar account (e.g. Namecheap) and registrant details (details of the domain name owner).

Is that a fair assesment? I'm curious to hear how others approach it and whether it would make sense to e.g. use different emails for the different types of domain contacts (registrant, technical, etc).
 
3
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Any setup is going to have potential issues, but I would at least suggest your account email is different than your WHOIS email.

Brad
 
5
•••
As someone who recovers stolen domain names, I can tell you that you absolutely should never use an email address that is using the same domain. So on the whois record of namepros(.com) you should NOT be using something like bill@namepros(.com) as the email address contact.
Also, is you use another domain name's email, make sure that you never let THAT domain expire, as you're most likely going to lose all the domains you use with that email. So, if you use bill@namepros2(.com) as your contact email for namepros(.com), never let namepros2(.com) expire.
About 75 percent of the stolen domain cases that we get involve some sort of hack of an email account. Gmail is hacked ALL THE TIME and is a huge issue. If you must use a gmail account, absolutely make sure that you lock down that Google account using Google Advanced Protection .
 
10
•••
As someone who recovers stolen domain names, I can tell you that you absolutely should never use an email address that is using the same domain. So on the whois record of namepros(.com) you should NOT be using something like bill@namepros(.com) as the email address contact.
Also, is you use another domain name's email, make sure that you never let THAT domain expire, as you're most likely going to lose all the domains you use with that email. So, if you use bill@namepros2(.com) as your contact email for namepros(.com), never let namepros2(.com) expire.
About 75 percent of the stolen domain cases that we get involve some sort of hack of an email account. Gmail is hacked ALL THE TIME and is a huge issue. If you must use a gmail account, absolutely make sure that you lock down that Google account using Google Advanced Protection .

How about using 2FA at Gmail? Have any experience your client's Gmail getting hacked while using 2FA?

Thank you!
 
0
•••
How about using 2FA at Gmail? Have any experience your client's Gmail getting hacked while using 2FA?

Thank you!
If you have a gmail account, then you have a Google account (most likely). I can tell you that many, many gmail accounts get hacked and the 2FA is turned off.
The ONLY way that you could securely using a gmail account would be to have Google Advanced Protection set up on the account (which uses additional security from Google but also requires the use of the Yubikey that Google sends you.
 
2
•••
I am strongly against to 2FA.
2FA just doubles the chances of losing something. If you lose one of those 2 factors, noboby will help you because they will tell you 2FA was your choice.

Use strong passwords with 100+ bits entropy preferably on an opensource software such as keepass and replace your passwords periodically. That's not enough. Your computer has to be secure, free from viruses and malwares. So you must be familiar with linux if you want top security with your online accounts. Lastly, you must to take backups of your passwords and other important files peridocially. If you do all these, you can get rid of 2FA headache and in fact you should.
 
2
•••
As to secure email, just register a domain for the max period (10 years), use it for important emails, never sell it and make sure it will not drop.. Don't rely on domains of others.
 
Last edited:
1
•••
A few generic tips. Make your own decisions... Use own domain(s) only. Host emails for those domains where 2fa is available, not necessary google or microsoft. There are a lot of recommendations in the net how to select email provider for own domain. Some do care about privacy on the 1st place. While this may be good for extra privacy (yeah, Snowden recommends...!) - such providers are frequently attacked, and at least one closed the doors already - but you need security and stability of technical emails, nothing more. You are not a whistleblower. So, select the email provider(s) carefully. Use different emails for whois and for registrar account. Make sure that the domain (or domains) of your emails are not registered with this registrar. Think twice before enabling imap/pop3 (which is necessary for email software like apple mail) - these protocols do not support 2FA by design. The last but not the least, stop using Windows. And, do not forget - if you own good domains, you WILL become subject of cyber attacks, earlier or later...
 
Last edited:
1
•••
Similarly, if I've enabled Registry Lock and I mess up my DNS records. I might be unable to verify my identity as I'd be unable to receive any emails related to that verification.

registry (transfer) lock has nothing to do with DNS and emails. It only makes difficult to transfer domains to other registrars.

You may not receive emails for various reasons. Those reasons will be more and very difficult to solve if you use third party email providers which you don't have any control over them.

The reasons of not receiving emails to your domain will be related to
1- Low quality hosting that goes offline frequently
2- wrong settings at DNS or email box (spam protection, quota, etc)

As you see, those issues are easy to fix if you use your own domain and email hosting.
 
0
•••
I am strongly against to 2FA.
2FA just doubles the chances of losing something. If you lose one of those 2 factors, noboby will help you because they will tell you 2FA was your choice.

Use strong passwords with 100+ bits entropy preferably on an opensource software such as keepass and replace your passwords periodically. That's not enough. Your computer has to be secure, free from viruses and malwares. So you must be familiar with linux if you want top security with your online accounts. Lastly, you must to take backups of your passwords and other important files peridocially. If you do all these, you can get rid of 2FA headache and in fact you should.

I don't think that's correct.
Once my mobile broke which contained 2FA so I was unable to access it. So the registrar had provided me with one time backup code which I was unable to find it.

I called from the same registered number with a different mobile phone and explained the situation. They asked me to send some govt IDs and all as well as called me on my registered phone number to get some more verbal verification before they let me access my account without 2FA.

I believe there is always a backup method to access your registrar. Just need to choose the right one.
 
0
•••
registry (transfer) lock has nothing to do with DNS and emails. It only makes difficult to transfer domains to other registrars.

You may not receive emails for various reasons. Those reasons will be more and very difficult to solve if you use third party email providers which you don't have any control over them.

The reasons of not receiving emails to your domain will be related to
1- Low quality hosting that goes offline frequently
2- wrong settings at DNS or email box (spam protection, quota, etc)

As you see, those issues are easy to fix if you use your own domain and email hosting.

Registry lock is not the standard transfer lock. With .COM for instance registry lock is provided by Verisign, and it makes it virtually impossible to make any changes to the domain (contact info, DNS, transfer, etc.)

https://www.verisign.com/en_US/channel-resources/domain-registry-products/registry-lock/index.xhtml

It is generally used mainly by large brands.

Microsoft.com for example -

Domain Status: serverDeleteProhibited
Domain Status: serverTransferProhibited
Domain Status: serverUpdateProhibited

Brad
 
Last edited:
0
•••
I don't think that's correct.
Once my mobile broke which contained 2FA so I was unable to access it. So the registrar had provided me with one time backup code which I was unable to find it.

I called from the same registered number with a different mobile phone and explained the situation. They asked me to send some govt IDs and all as well as called me on my registered phone number to get some more verbal verification before they let me access my account without 2FA.

I believe there is always a backup method to access your registrar. Just need to choose the right one.

If you go that much further, you can recover bank account or even your lost passport. In my opinion everyone has to avoid at all cost to provide ID documents and various personal details to any website. The risk of sharing those documents and personal info is extremely high. We can lose passwords, mobile phone. They can lose our identity, ID documents, personal info which could then be sold by illegals to illegals.
 
Last edited:
1
•••
Registry lock is not the standard transfer lock. With .COM for instance registry lock is provided by Verisign, and it makes it virtually impossible to make any changes to the domain (contact info, DNS, transfer, etc.)

https://www.verisign.com/en_US/channel-resources/domain-registry-products/registry-lock/index.xhtml

It is generally used mainly by large brands.

Microsoft.com for example -

Domain Status: serverDeleteProhibited
Domain Status: serverTransferProhibited
Domain Status: serverUpdateProhibited

Brad

I know. But the OP talks about ENABLING registry lock. You talk about the registry lock that is set by the registry. As you know, registrant will not want his/her domains to get locked, may want transfer lock.
 
0
•••
https://www.verisign.com/en_US/channel-resources/domain-registry-products/registry-lock/index.xhtml
... is what offered by some (but not all) registrars for a fee. three-figures amount per year or so. I've seen some China-connected (legitimate) domains/registrars actively using this, as well as famous brands managed by Markmonitor and other corporate registrars. Also, Verisign would lock "bad" domains with Server..Something..Prohibited for free if ordered to do so by a competent authorty. Afaik...
 
Last edited:
0
•••
If you go that much further, you can recover bank account or even your lost passport. In my opinion everyone has to avoid at all cost to provide ID documents and various personal details to any website. The risk of sharing those documents and personal info is extremely high. We can lose passwords, mobile phone. They can lose our identity, ID documents, personal info which could then be sold by illegals to illegals.

That's why it's very important to keep your domains at a very reliable registrar.
 
0
•••
That's why it's very important to keep your domains at a very reliable registrar.

All registrars are more or less reliable. The bigger problem is the users who lose their login details. All registrars are more or less the same for those who never lose their login details.
 
Last edited:
0
•••
Back