Neither, the correct one is, email-marriott.com.... Last week there was a monstrous data breach. In response the company sent out millions of email warnings. Problem being it was a bad response without a proper domain strategy and put millions at risk for a second time. Small and large companies alike should always consider a proper domain strategy as part of their cybersecurity strategy. From: TechCrunch https://techcrunch.com/2018/12/03/marriott-data-breach-response-risk-phishing/ "One problem: the email sender’s domain didn’t look like it came from Marriott at all. Marriott sent its notification email from “email-marriott.com,” which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate — the domain doesn’t load or have an identifying HTTPS certificate. In fact, there’s no easy way to check that the domain is real, except a buried note on Marriott’s data breach notification site that confirms the domain as legitimate."