If you deliver email to a customer and you notice that it bounces, any account security flows requiring access to that email should be disabled. Additionally, you should never show the full email address or phone number that is being used for an auth challenge. Nonetheless, those defenses will eventually be compromised.

Beyond that, it is not a company problem IMO. One of the most common uses for custom domains is custom email addresses. If a website prevented me from using it, as you propose, I would be flabbergasted.

I think you underestimate how often there are intermittent mail delivery failures, especially for custom domains.

On the user-side, using private email relays (i.e. Apple's Hide My Email, AnonAddy, etc) mostly eliminates this issue.

Instead of blocking custom domain email addresses outright, the site could require a secondary recovery email address from an approved provider when an email with a custom domain is used to create the account. Then any security interaction like password reset, or 2fa would go to the primary address and would send an alert to the secondary email address about the nature of the communication. There could be a link in the email (sent to the secondary email address) that could allow the user access to instantly lock the account and/or disable access to the account from the primary email address until the user updates thier settings. The secondary recovery email address should not be able to be changed without an email confirmation (to the secondary email).

Good practice for users in general is to use email services like gmail as thier login/account email and add thier custom domain emails in thier bio.

But what if the provider takes your account down? You end up with an unrecoverable account.

> Instead of blocking custom domain email addresses outright, the site could require a secondary recovery email address from an approved provider when an email with a custom domain is used to create the account.

No thank you, I don't want a mandatory backdoor for every government that might want to claim jurisdiction over one of those large worldwide providers.

> the site could require a secondary recovery email address from an approved provider

No. I have a domain precisely because of avoiding a monopoly, duoplily, oligopoly on my email. Any service that required this would have me walk. The footsteps of a single zhte415 may not be loud, but I feel, especially in tech, I would not be alone.

> Instead of blocking custom domain email addresses outright, the site could require a secondary recovery email address from an approved provider when an email with a custom domain is used to create the account.

Great, if we do this, we've done to e-mail addresses (and domains) what we've done to phone numbers. Some phone numbers, because of the carrier serving them, are "less than" others out of some (mistaken) idea that it's easier to get a bulk-load of phone numbers from some kinds of carriers and not others.

And then, what do you do when a new provider wants to join the scene? It already takes a year of process and documentation for a new certificate authority to get into most browsers and even then the adoption will be years in the making because most devices don't get root certificate updates. What's the process like for e-mail in your hypothetical? Does Hey.com not even bother because getting buy-off from even the top 50 account-based web sites takes forever?

> Good practice for users in general is to use email services like gmail as thier login/account email and add thier custom domain emails in thier bio.

Absolutely not. The entire point for using my own domain is so my identity is not irrevocably tied to Google. When Google can, and does, nuke my account from orbit on a whim due to some perceived slight, I have no recourse. I can't even sue because of the mandatory arbitration clause they slapped in their several-thousand-word terms of service.

cronjob to regularly check if the domain is expired/up for sale? The service "has this domain changed owners in a way it's relevant for logins" could even be turned into a SAAS startup... later to be extended to individual accounts (someone deletes e-mail acct, cancels phone plan, etc. then a new person creates a new one with just that name) One could strike contracts with all the e-mail providers and phone networks to tell via API when this happens and then send the info to services that use those accounts.

What would you do in this situation though? People still need to be able to reset their own passwords. And some accounts don't have any other means of contact. It's extremely common to only have an email address and a password.

If there is an alternative way available to reset passwords, support that one. If there is none, either lock the account, or give access to the handle but "delete" its contents.

What does "custom domain for connected email accounts" mean? Isn't every domain custom? Do you mean anything that isn't @gmail.com?

Yes, roughly speaking any domain you registered yourself.

2FA that can't be bypassed with a password reset?