105

Let's assume I have a server set up with an email address like [email protected]. Now I have distributed my business card with the e-mail address to all people all over the world and they keep sending me confidential emails. But now I don't feel like paying for the domain mydomain.tld anymore.

Now if someone buys the domain and creates a mx record pointing to the his own mail server he can read all my confidential emails the people are sending me right?

No, I can't tell them to stop sending confidential mails because I can't contact them.

Are there ways to prevent that or is the only option I have is to pay for the domain until I die?

Improve this question
12
  • 7
    About $14. Still pretty much for a student. But thanks for your answer. I'll probably pay for it another 5 years and then I'm gonna let it expire.
    – Skiddie Hunter
    Commented Jan 3, 2019 at 5:47
  • 71
    $14 a year is nothing. Paying $140 over a period of 10 years is nothing (you won't be a student forever!). Forgo a cup of coffee during one day only once every three months and it'll pay for itself indefinitely.
    – forest
    Commented Jan 3, 2019 at 5:49
  • 24
    Have you considered paying for a few more years and setting an "out of office" or "vacation auto-reply" saying that the domain will be dead after X years? That's what I did with my Gmail account when I divorced Google. It won't guarantee 100%, but how many people are likely to not contact you for 5 years, then suddenly do so after that? I guess it depends if this is a real life question or just academic.
    – Mawg
    Commented Jan 3, 2019 at 14:42
  • 20
    @SkiddieHunter For sending credit card information e-mail was never an advisable choice. A website should use HTTP GET/POST over TLS for exchanging credit card information. And for a side business while you're a student, you really should probably use something more like PayPal where you never need to know or touch customers' credit card info at all. Even if you continue to own the domain, e-mail has never been a secure way to exchange information. It's generally unencrypted and viewable by anyone anywhere along the transmission path. Also, SMTP is about 37 years old, not over 50. :)
    – reirab
    Commented Jan 3, 2019 at 16:34
  • 22
    @SkiddieHunter: Re: "Why hasn't e-mail been abolished and replaced by something newer and better that is, for example, based on security?" How do you expect to retain ownership of an identifier by which you can be reached without some sort of system equivalent to domain registration, in a way that's permanent across decades? Email addresses at domains registered 25+ years ago are still accessible. Do you honestly think you'll get that from anyone offering privately-controlled joke-of-a-service stuff intended to replace email?
    – R.. GitHub STOP HELPING ICE
    Commented Jan 3, 2019 at 23:15

8 Answers 8

Reset to default
132

Now if someone buys the domain and creates a mx record pointing to the his own mail server he can read all my confidential emails the people are sending me right?

If they register the domain name, they will receive all email being sent to it from that point on. They will not have retroactive access to previously sent emails. There is nothing to fundamentally prevent this.

Are there ways to prevent that or is the only option I have is to pay for the domain until I die?

You can request that all contacts to you encrypt their communications with PGP using your public key, which will prevent anyone who obtains the domain later from reading new messages, but it requires people actually use PGP, which may not be likely if you are distributing the address to average people in a business card. However, if you maintain or at least renew the domain for, say, 20 years, then what are the chances that anyone is going to seriously send an email to such an ancient address?

I asked the question on the Law Stack Exchange whether or not there would be any legal recourse to someone using your domain, and the answer was no: https://law.stackexchange.com/q/35917/15724

Improve this answer
14
  • 3
    Unless OP already happens to have one, registering a trademark costs a lot more than registering a domain.
    – Federico Poloni
    Commented Jan 3, 2019 at 9:53
  • 5
    @FedericoPoloni You do not need to explicitly register a trademark. Just use the trademark symbol (™) next to a logo or phrase and you will get a certain level of protection in many countries. However, getting a registered trademark (®) does cost money. Lack of a registered trademark might, however, prevent you from seeking damages under 15 U.S. Code § 1117 in the USA, and protections would be weaker. See also here.
    – forest
    Commented Jan 3, 2019 at 9:55
  • 7
    Trademark protection against other people registering a domain has its limits. It will work against lego.newtld as Lego is a world wide brand and a registered trademark, though they might have to claim it when newtld is created to be sure to have it. It might not work with speterson.com, even if there is a company called Speterson with a trademark. If Steven Peterson registers it and uses it for something that is not in conflict with that trademark the Speterson company will not have an easy case.
    – Bent
    Commented Jan 3, 2019 at 10:21
  • 6
    "They will not have retroactive access to previously sent emails." That statement should come with a bit of a caveat. Suppose OP has a webmail account somewhere, which is tied to this domain for password recovery purposes. Unless OP makes very sure to remove that e-mail address from the webmail account recovery process, having control of the domain may allow an attacker to take control over the webmail account, thus enabling access to any old e-mails stored in the webmail account. Now, is this a particularly likely scenario? I'd say no. But it's possible.
    – user
    Commented Jan 3, 2019 at 16:28
  • 4
    @hiburn8 That is incorrect. There is a domain name dispute process specifically for cases like that, and bad-faith use of a domain (selling fake lego from lego.com, for example), is explicitly a reason for a domain name to be taken away from its current owner.
    – mbrig
    Commented Jan 3, 2019 at 20:25
55

As others already mentioned: Yes keeping a domain name is the only way to be sure that nobody is going to receive emails sent to there.

That being said:

Just keeping a domain is often cheaper than using it

Of course everything depends on the provider, but as I understand you currently have currently more than 1 service (domain name, redirect?, email server?, hosting space?).

When your only objective is to prevent others from receiving your emails, it is sufficient to only renew the domain name, and you can avoid the costs for any further service.

Improve this answer
23

Assume someone will definitely buy your domain, as domain crawlers try to lock and resell, overpriced, domain names that people forget to renew. An MX record is not required in order to have mails delivered somewhere.

Thanks to @Criggie, if an MX record is not set, the Mail Transfer Agent will try to point to the root A record for that domain and open a connection to its port 25. So, the web server responding for the new buyer must also be capable of mail server.

Now, we need to estimate the odds that someone will effectively monitor the email address(es).

In my personal opinion, unless you are a person worth to target by a human interest, the best that the buyer company will do is just crawl sender email addresses for unsolicited bulk advertising purposes, namely spam. Not to inspect the real contents.

Update: non-scientific statistics

I tried to ping 5 of the domains I owned in the past. Out of them, one has been purchased in 2015 by what looks like to be a business whose name is meaningful to domain name, and they have set an MX record. The other 4 are not existent.

Are there ways to prevent that or is the only option I have is to pay for the domain until I die?

Use a long-term grace period

That means gradually decommission that domain. Keep it for now, e.g. renew for 2 years, but perhaps establish an auto-responder (or auto-refusal) email like

Greetings,

the email address [email protected] will be decommissioned by [2 years from now]. I kindly ask you to update your address book and send the email again to [email protected].

For the privacy of both, it is important that you kindly implement this change as soon as possible

The last sentence explains the matter but is hard to understand for non-security-expert users.

I would expect emails sent to mydomain.tld will gradually decrease over time. Do not forget to update your business cards immediately and start using the new ones.

Eventually, there could still be someone, hopefully a handful, using your old email address after the grace period expires. What to do?

This is where maths come: put on a scale the total cost of lifetime ownership of the old domain name versus the economic losses that YOU will suffer in case a confidential mail is revealed to someone unauthorized. I said YOUR losses because if your customer/sender is a jerk and keeps sending sensitive material to the wrong address it may not be your business.

Comment

I don't personally like this question from the very beginning. ISPs, including the sender's, have full access to plaintext emails, some may be required by law to keep ("data retention") record for months or years. In the very end, plaintext email is not the best option to deal with sensitive contents.

Eventually, we trust major ISPs to protect our privacy. We trust them to...

Improve this answer
2
  • 2
    It's true that plaintext email is far from ideal, but at least it requires an active attack or a position of privilege to access the contents. But anyone can register a domain once it has expired and been released.
    – forest
    Commented Jan 4, 2019 at 21:26
  • Note if a domainname's nameserver doesn't reply with a specific MX record, then MTAs are supposed to try a connection to the root A record of the domain, if it has one. A domain squatter will frequently point the root domain and the www. host at a webserver as advertising.
    – Criggie
    Commented Jan 5, 2019 at 10:27
14

Loss of domain name is actually one of the biggest security vulnerabilities that I see "in the wild".

It may not rate a symposium topic at Blackhat, but the threat has a gigantic surface area and high business impact, and is at the top of the list when I am briefing a small organization's Board of Directors.

So, if you're serious about a domain name, plan to keep it for life. If you're not serious about a domain name, don't put your email on it. That simple.

Don't treat your (serious) domain like an annual subscription

Domains can be pre-registered out up to 10 years ahead. My own domain expires in 2025, so I'm getting sloppy. :) Long before that I will revisit it and push it out to the max again. When I survey small businesses for domain expiry, I find only about half are set to expire more than 2 years out.

Domains are marketed in a way that encourages you to treat them like a magazine subscription or a Netflix membership, thinking they can just renew at any time. They lapse, and return a month later and find someone else has registered the domain for its cash value.

This problem is often caused by people bundling their domain name registration with their web hosting. Domains are a measly $12/year. They are often "tossed in for free" with an expensive $180 to $600+ hosting plan. That's great for the web hoster, as he controls your domain and can ransom it if there's a billing dispute such as a $2000 bandwidth overage due to blowing up on social media. If you lapse the web hosting for the wrong 30 day period, the domain can be gone for good. The hoster doesn't care and why would they sink money into registering it out a day longer than necessary?

How they profit by poaching domain names

When you let your domain lapse, and the grace period ends, in milliseconds it gets pounced on by at least a dozen different actors' automated scripts, all trying to do the same thing. Here's what it gets them.

  • The ability to monetize (drive ads on) the organic traffic (links and bookmarks) to your web site, as well as any Google/Bing traffic while that holds.
  • to benefit from the PageRank and other metrics which your site earned with search engines over the years. In the link economy of the Web, a link from a reputable site is worth its weight in gold. Web spammers use this to boost their spammy, scammy or lousy sites.
  • To trick Google by directly hosting their junk content on your domain name.

  • To attack organic/search visitors to the site with malware, Flash or PDF exploits, etc. They typically use older exploits to target people who don't keep their system updated.

    • One small company lost a site which reappeared with its earlier content. Really. The goal was to convince Google the previous owner was still in reputable control, because (they assumed) Google knew to watch for sudden content changes. A few pages were added advertising Acai Berry pills. See how this works? The site outranked the company's new real site for several years.* Normally web-spammers operate on a much larger scale than this with thousands of doorway pages, but this guy was small potatoes.

  • To intercept email to your site simply to harvest email addresses.

  • To use their control of your email to do password resets/gain control of your web accounts. They will discover your accounts at at smaller, less protected vendors when those vendors send their routine promotional emails.
  • To sift through human email to your site looking for opportunities for con games or social hacks.
Improve this answer
9

Yes, the scenario described is possible. As an example, it happened to Google in 2015 when they lost control of google.com, and Microsoft back in 2003 with hotmail.co.uk. Those domains got bought. For Google's case:

...He also received emails with internal information, which he has since reported to Google's security team, Ved said.

...His run of Google.com was short-lived though. Google Domains canceled the sale a minute later...

For Microsoft, who lost control of a domain for an email service, possibly putting thousands in the situation described:

[Microsoft] managed to contact hotmail.co.uk's new owner, grovel at their mistake and sort out the mess. By all accounts, hotmail.co.uk will be returned in a few days.

The only way to be sure that confidential emails don't leak is to own the domain indefinitely. However, as mentioned by usr-local-ΕΨΗΕΛΩΝ, you could balance your possible loss if a confidential email leaks versus the cost of owning the domain for a long time.

Practically, what you could do is replace your emails with the expiring domain on sites that you registered on. Also, inform your contacts to eschew your old email (or domain, or both).

As an additional step, hold on to the domain for a year or five and deliberately blackhole your MX records, so that senders who didn't get (or could not get) the memo would be greeted by errors. For Gmail, a sample would be

Gmail - Message not delivered

Improve this answer
4

Yes, the new owner will be able to receive and read all your email. The only way to avoid this is to continue paying for the domain. It is not necessary to keep hosting - only pay the domain. If you prepay for 10 years, the price will be about $90 or less for .com domain. It is important to remember the expiration after 10 years and the password. If the domain is not com/net/org, the price will be higher.

Improve this answer
3

Are there ways to prevent that or is the only option I have is to pay for the domain until I die?

Depending on who is hosting your email, you maybe able to setup an auto-responder.

Usually some kind of vacation responder is available. Either that or rule/filter can be the same thing.

If new email arrives reply "this account is no longer active please redirect your emails to ....." or "this is services is no longer available please discontinue sending emails"

Same thing with vacation responder.

https://www.rfc-editor.org/rfc/rfc1846

521 does not accept mail (see rfc1846)

I don't know if you can configure your mail server to do a 521 response or not.

Anyway after about a year of this everyone should get the idea and stop sending emails.

Improve this answer
1

All the technical stuff has already been answered, but just to put a slightly different slant on it...

If you move house, you get your postal mail redirected to your new place, but not indefinitely. Eventually you have to assume that anyone important knows where you live and can send you mail there. And that if they don't then mail sent to the old address can potentially be opened by someone else.

I'd suggest it's the same with old domains - change your reply-to address so that it's the new domain, keep the old one for long enough to be able to reply to anyone sending you mail there, and put some effort into contacting everyone you want to stay in touch with.

Eventually, the mail sent to the old domain will trickle to nothing, and at some point along that way, you'll be happy to stop re-registering the domain.

If that point never comes, then you'll have to keep the domain forever, as others have said.

Improve this answer
1
  • Anecdatum: I did receive paper mail intended for the prior residents of my current home for at least ten years after they left, a few every year. After about five years I didn't bother returning it to USPS and just discarded it.
    – dave_thompson_085
    Commented Jan 10, 2019 at 11:14

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .