Email account to use for company domain registration account?

Question

Domain registration is a very important part of security. If a domain is stolen, all emails in this domain becomes accessible so an attacker could use I forgot my password feature on many website or cloud service and login very easily. Often even bypassing MFA authentication.

Being developers, I want to say that we are very new to server administration. For example, we mostly use highly managed solutions like Appengine and Firebase. So my question could be an easy one to answer. Our company is also very small (less than 5 employees now).

Let's say a company as a domain at example.com and have all the cloud server infrastructures at AWS and GCP managed by accounts linked to emails of this example.com domain.

Is it a good practice to also register the example.com domain let's say at CloudFlare, AWS or GCP using a email account of example.com. What email account should be use to register example.com domain? Does it cause a problem if it is an email account of the actual registered domain?

Using a personnel email account not linked to company domains is not a good idea in my opinion since someone could leave the company.

Should another domain used for administration should be bought or just using the example.com domain emails for domain registration of example.com domain is ok? What do you think about this?

Answer 1

There is a little catch-22 when you initially register a domain example.com : often the registrar will send emails to the person doing the registration and when you use person@example.com to sign up such messages can't be delivered, because that's a new domain that does not yet exist and has email been not set up yet.

So possibly you're more or less required to use an existing e-mail address from a different domain initially.

IMHO it depends a bit on what that initial address is if you should want to later change the contact email addresses to an email address in the example.com domain.

If your organisation already operates their own domain example.org and you used contact@example.org when registering example.com as secondary domain: I'd leave it be.

When you used a personal e-mail account from outside your organisation, i.e. a Hotmail or Gmail account: then I would change that to domainadmin@example.org or similar after your mail server/service has been set up. That domainadmin can then become an alias for a personal mailbox, that in the future can transition to their replacement, or a functional mail box for example.

Mandating the use of email addresses in your own domain(s) for all business communication, sign-ups and registrations allows you to get access to mailboxes from people that fall ill or leave the company and similar use-cases.
In your own domain domain you can re-enable mailboxes from leavers or configure mail forwarding when necessary as well i.e. when you find out that a provider will send a verification email to bob@example.com when Bob already left years ago.

Often the email address is used for access recovery and access to the business mail address will also allow the company to recover access in relevant use-cases.

You might want to document that in your employee handbook or similar BTW. (There are obviously privacy implications.)

Related: https://serverfault.com/a/1062750/37681

Answer 2

To register the domain initially, I use my company email, not my personal one. After the domain is set up, I forward the admin@example.com to whoever is going to be looking after it. And then change the registered email to that.

Note that many verifications automatically go to admin@example.com, so you need to monitor it.