To Use or Not to Use a Custom Email Domain
Greg Schaffer
Servant - SMB Advisory CISO - vCISO - Author - Podcast Host - SME Contributor - Mentor - Entrepreneur - Owner vCISO Services, LLC and Second Chance Publishing, LLC - CISO Novelist - Veteran
A few weeks ago I received an unsolicited email to help enhance my Search Engine Optimization (SEO) for one of my web sites. Honestly, I don't remember which site, because I didn't get much past the fact that this solicitation came from a Gmail email address.
First, let me state my view for context. I have run two businesses for many years - an information security consulting firm for seven, and an independent publishing firm for eleven. In both cases, one of the first if not the first step I took was to register a custom domain for each. I have always thought of this as a basic business necessity. It's a very low cost of doing business and it provides an initial sense of professionalism that a public email address (e.g., gmail.com, outlook.com, and even AOL.com) cannot convey.
I thought that everyone who was serious about starting a business did this. Yet that SEO offering was the latest in a string of unsolicited emails from self-professed firms (not individual subject matter experts) with these generic, public email addresses. I was unsure how my view aligned with others, hence this poll.
The Poll
I created a poll in a post reflecting what I was thinking in the moment (screen shot below).
In the poll, I neglected to add "and similar public email addresses", an omission which did cause some confusion. The poll categories and their results are below.
I was somewhat surprised that the aggregate of "yes" responses wasn't higher, and that nearly half saw no issue with using such email addresses. But, as the comments came in, I realized a significant flaw in my poll. I was not clear that my intent was focused on businesses, not individuals. Several responses indicated an incorrect assumption that my intent was such addresses were inappropriate for other professional communications, such as applying for a position. I absolutely do not support that.
Others thought I was dismissing the usefulness of Gmail completely, which was also not my intent. I was focused solely on email addresses with the public email domain. One can easily procure a custom domain and leverage a Google account to include emails with the custom domain name.
A few thought I was advocating for standing up a self-hosted email server. For most SMBs, that's simply not a good alternative. The administrative and potential security tradeoff, not to mention the needed skill set, is not worth it. As one response put it, "Interesting subject, think some have missed the point with the custom domain. Not a question of having to host email services. Just simply using a custom domain."
领英推荐
These issues likely had a significant effect on the poll, skewing more votes to the No option. They also reminded me of the need to be as precise as possible when constructing a poll. The effect was particularly magnified in this one, which went somewhat viral with over 400,000 impressions and 5,000 responses. They also likely had a significant effect on the poll, skewing more votes to the No option.
SMB Considerations
What does this mean for small and midsized businesses? As I was crafting the poll I realized there are also significant information security implications of using generic domain addresses. A simple one is they are more likely to be caught in a spam filter.
Conversely, as one response noted, generic domain addresses are also much easier to impersonate, or I would clarify perhaps give the impression of impersonating, for scamming or phishing. Another respondent expanded on this: "One of my personal concerning scenarios when dealing with gmail accounts/addresses. Anyone can impersonate your address scheme. From my outsider POV company-user-1@gmail is going to hold the same weight as company-user-54@gmail."
A more potentially impactful outcome is the difficulty to defend against. From one response, "It’s easier for the authorities to shut down a scammer’s domain and/or folks to blacklist them than to do the same for bogus gmail (or similar) accounts." For that reason, many organizations opt to ban or heavily restrict public domain email addresses. Conversely, it's easier to manage white listing by domain than by individual email addresses.
Additionally, as one respondent noted, "You should always own your email address (business and personal). If tomorrow you're not happy with Google's privacy policy or they decide to boot you for whatever reason, you can take your custom domain elsewhere (just point your MX records to the new provider)..."
Several made the case that for small businesses not involved with information security or technology such addresses may be appropriate. I agree with this to an extent. For example, for contractors who have performed work on our house, when there was a non-custom email address it didn't concern me.
Still, there is perception to consider. As one put it, "In my opinion you are representing your brand, represent it and be proud of it!" But others pointed out that while not expensive, for SMBs already with razor-thin margins, funds for custom domain names may be better directed elsewhere.
What's the best direction? Perform a risk assessment. Does your business and brand stand to benefit from a custom domain or not? List the risks both pro and con for your business, using available resources including the information presented here as a guide, because there is no one size fits all. But you, as the SMB owner or executive, need to be informed of the risks of all options to make that decision.
Songwriter, Composer, Arranger and Producer in the Wirral
8 个月I have a number of personal email addresses, both connected to businesses and not. My husband and I regularly have our domain-based email addresses rejected when we try to use them for personal purposes, for setting up personal shopping accounts and the like. Mine gets refused less, quite oddly, and I don't know if it's because the domain contains my actual name. Weirdly, my husband has his email address turned down more often - it contains a domain which is a company name. It is forcing him to use gmail accounts and to duplicate his correspondence. Is this just a symptom of the stranglehold Google has over UK business/ commercial activity? I don't know.
Expert Risk and Compliance Advisory and Consulting
11 个月thought provoking post. thank you.
Retired IT-Constitutional Libertarian-God & Family *Shepherds-eat-sheep*
12 个月If addressing a customer or vendor, use a custom URL. It's unprofessional to use that URL when addressing a friend, agency or government official on a personal matter. An old fashioned URL like AOL.COM indicate obsolete tech understanding.
2X #1 Best Selling Featured Author | Technology Swiss Army Knife | BizOps Alchemist | Just-A-Guy-as-a-Service |
12 个月Domain MX can be hosted anywhere, and be spoofed just as easy, with the owner identity concealed by proxy of the registrar. You security concerns can be equally applied both ways. At the end of the day, it's a communication tool that does what it's intended to do. You're certainly entitled to having an opinion, and whom you choose to do business with. The arguing points here fall flat to me due to the counterpoints I mentioned.