I (like many others) use email that's hosted on a domain I own. Are there domain registrars out there that take security seriously enough to, for example, be immune from someone faxing a fake ID to support to get access [0]?<p>I would be happy to hear of email providers, etc, that also take things as seriously. I can't imagine what hell it would be if someone got access to my email...<p>[0] https://news.ycombinator.com/item?id=29715989
I am cynical and jaded in this area so please take this with a grain of salt. This is just based on my experience trying out many different registrars.<p>MarkMonitor is the only registrar that comes to mind but even they have had some incidents and not likely you would just move some personal domains there. They are meant for large organizations.<p>The rest of them in my experience either aren't a full time registrar (CF/AWS) with odd limitations that change with time or have acquired/merged registrars that have become web2.0 front-ends to old systems they acquired and can barely keep them running. I've tried many registrars in the US and EU and can not find one I have confidence in. Every registrar that has features I like also comes with either stability issues or antiquated technical debt and have lost/let-go much of their technical staff. I am not going to name these registrars because for each of them there will be at least a dozen people here that have had nothing but wonderful experiences with them.<p>So I guess one could minimize risk by having half of their domains on their first choice and half on the second choice then make sure people know to email them at a domain on each registrar. e.g. Use the second registrar for an email domain that is set as a "backup email" in services that support having two or more email addresses.<p>I know this does not really answer your question. I do not have a good answer.
This is a good question. I have to admit, it only recently occurred to me that my own domain is not by default completely secure from theft. I have focused on "how secure is email-provider-x", or "hosting-company-y", but never the company that actually holds my domain registration. I currently use Amazon for my domains, and I'm not actually sure how vulnerable they are to social engineering attacks. I do remember losing my 2FA device years ago and calling them to get back into my account...which was convenient at the time, but is nagging at me right now.
I have switched almost exclusively to Cloudflare. I really like the wholesale pricing and security. I'm sure you know this, but enable hardware or software 2FA.
<a href="https://njal.la/domains/" rel="nofollow">https://njal.la/domains/</a> run by Peter from The Pirate Bay. Used by dark.fail.