Data privacy & cybesecurity for normal people
TheNewOil.org

Custom Domains 101

A more advanced strategy that comes up often in the privacy community is that of “custom domains.” These tools can provide a wide variety of protections from proactively defending against slander and “revenge porn” to simply ensuring you always get your emails. Yet, as “common knowledge” as custom domains are, I still regularly see a lot of confusion and questions about the best way to use them, so this week I’d like to offer my thoughts. Don’t click away just yet if you’re not a techie or have a low threat model because I think there’s value in this tool for you, too.

From the Top: What, Why, & How

Let’s start at the beginning: what is a custom domain? The simple answer is “it’s a website (or at least, it’s the web address).” Believe it or not, anyone can buy a domain for any reason. The only real limits are availability and price. Just because you don’t plan to launch a website doesn’t mean you can’t make use of a custom domain. The most common recommended use in the privacy community is for email. Consider the story of CTemplar, who closed up shop with little warning and left many users scrambling to change their email address with the services they use. If you’ve ever switched providers before – maybe moving to a more professional-sounding address – you can probably relate to this pain. Custom domains practically eliminate this risk. They can also be used to establish a web presence and build a “personal brand,” which can help defend against character assassination attempts. I’ll discuss both of these a bit more in detail later. Even if you’re not tech-savvy or have a low threat model, I still encourage the use of a custom domain. Getting started takes two steps:

  1. Pick a domain registrar such as Namecheap, Orange Web Hosting, or 1984 Hosting. There are, of course, others but those are a few of my favorites who reasonably respect privacy.

  2. Buy the domain name you want. This is the first hiccup many people encounter: what kind of domain name should I go with? Real name? Random words? I think the use case depends here (see the next section). If you plan to use this domain for professional tasks like a portfolio of your work to attract clients or employers, I recommend your real name, initials, or a brand name. For example, I may choose to work as natebartram.com, nbartram.com, or thenewoil.org. If this is more for personal stuff like a personal blog, you can go with any number of possible domains ranging from names to nicknames or totally unrelated stuff, like natebartram.com or honeypot.net. These should still be pretty easy to share if you want people to find it, though whether it has any sort of personal meaning or is randomly generated via a passphrase manager is really up to you and your personal preferences. If this domain will be purely for your private use – like a personal cloud or some sort of back-end function that you’ll never really be publicly sharing with anyone directly – then all bets are off and go with whatever you want from real names to random gibberish.

If the domain name you want isn’t available, you’ll have to either buy it from whoever has it (usually not realistic as the person either won’t sell because they’re using it or else will try to sell at an outrageous price) or come up with a new one, like an abbreviation (nbartram.com instead of natebartram.com) or a totally new domain. You can buy as many domains as you want: maybe one for personal email and one for professional work, for example.

How to Use a Custom Domain

Now that you’ve got a domain, what to do with it depends heavily. If you plan to use it as an email domain, then you’re basically done. You can use it as-is – most domain registrars include a high number of email addresses that you can forward to any inbox you wish at no extra cost. However, I don’t like this strategy, mainly because it gives you very little control over each email address – specifically the ability to block ones that have become spammy. Instead, I recommend you attach the domain directly an email provider such as Proton or Tutanota – or better yet, to a forwarding email provider like AnonAddy or SimpleLogin. Adding a custom domain in Proton costs at least $47.88 USD per year, and only includes a single email address (such as info@thenewoil.org), plus catch-all email addresses have moved to the $7/month/user business plan. Tutanota – who is unarguably much better on price than Proton – still only offers a single custom domain with 5 email addresses for €12/year (though at least this plan comes with catch-all). Instead, AnonAddy and SimpleLogin offer unlimited aliases for free or $30/year (depending on which one you go with and which plan), plus multiple custom domains (20/unlimited) for at most, $36/year (you can see a full comparison of AnonAddy and SimpleLogin’s features and offering at https://thenewoil.org/email-masking. Personally I strongly believe in the “unique email address for every site” approach to help protect against credential stuffing and make it harder for companies to tie your various accounts together (depending on other factors). Regardless of your approach, adding a custom domain to one of these services is as easy as editing the DNS records, and all of these services offer instructions on how to do so, plus you can get support from your domain registrar if you’re still unclear.

The biggest concern here among privacy enthusiasts is the question of whether a custom domain makes you easier to track. After all, if you’re the only person using “natemail.com,” isn’t it pretty obvious? Personally, I don’t think so. For the record, what I am about to say is pure speculation so if anyone knows better please let me know, but consider the following: the vast majority of people use Gmail, Yahoo, Outlook, etc. It’s incredibly hard to find stats about this subject, but one source suggests that Gmail alone has anywhere from 42-83% marketshare depending on the age group as of 2017. Therefore, it doesn’t make sense that companies attempt to track you by domain name. Likewise, most people only use a few email addresses (another source says less than 2 per user on average). It doesn’t make sense to try to look at domains to track a user when at least half of them are using the same domain and only using a single email address. Instead, it makes much more sense to look at the full email address, since “bob@gmail.com” and “bob1@gmail.com” are statistically unlikely to be the same person, despite sharing a domain name. Thus, if I sign up for a service using “site1@natemail.com,” then it would make more sense for any automated tracking services to look for that exact same email address rather than simply “@natemail.com” domains. This leads me to believe that the only time a custom domain would ever be tracked is if you’re being targeted by a non-automated, relatively advanced actor and at that point everything changes and this entire blog post goes out the window as you’re in a very unique, high-threat-model situation with specialized needs.

If you plan to use your domain with an actual website, things get really complicated here depending on what you plan to do. If you simply want to redirect to an existing account – maybe a photo gallery like Instagram or an existing blog like WordPress – that’s also as easy as editing the DNS records (services like WordPress offer instructions on how to do this, in other cases you may need to consult your registrar’s help documentation on how to set up your domain to forward to another site). If you want to create a totally new site, you’ll need to use purchase hosting and either use a web designer (such as Wix) or hire a web developer. Personally I’d lean toward hiring someone as web-designer services include a lot of bloated code that will slow down your site and violate user privacy. This is beyond the scope of this blog, however.

Now let’s talk about that second option and how it proactively defends you. Let’s say that someday you piss someone off and they decide to start spreading lies about you on the internet. This may not be as outlandish as you think. One client I worked with told me how his ex-wife was calling all his friends and family to try to dig up dirt against him and win them over to her side in the divorce proceedings. Another client who contacted me was targeted by – as best we can tell – some bored script kiddie on Twitch who proceeded to attempt to dox the client out of sheer boredom. You can literally end up in someone’s crosshairs for no other reason than the fact that you exist and someone doesn’t like how you’re doing that, and if they decide to start publishing slander about you on the internet, this can be bad. People who search your name – like potential employers or dates – may find that information, and it may color their opinion of you. It can be incredibly time consuming, difficult, and perhaps even impossible to get the attacker to stop or remove the information. You may think you can call the cops, but I promise you that’s useless 99.9% of the time. First, that assumes the attacker is even in your jurisdiction. Unless you’re rich and/or famous, it’s not worth the international read tape just because someone’s saying bad things about you on the internet. Even if they are in your jurisdiction, the police probably feel like they have more important things to do. This isn’t trash talk against police, this is a fact. It would take a lot to motivate the police to dedicate resources to your case. They feel like there are more pressing cases like murders and sexual assaults.

Now let’s say you’ve been blogging or sharing your photos for a few years under your custom domain. You don’t have to be professional, or an influencer. You may not even be blogging about anything in particular – maybe just some fun stuff you’ve learned or your progress learning a language once a week or so. But if you’ve been doing that for a few years, there’s a good chance you’ve got a few hits. This, combined with the fact that you’ve been at it this for a while, means that any new information about you that pops up is likely to get down-ranked (unless it somehow goes viral). Any attempts to dox or slander you are much more likely to be buried below the legitimate, positive results: blog posts, social media accounts, comments, etc. This can be incredibly effective, but it requires you to be proactive. Starting a blog after you’ve been attacked is too late. Establishing a web presence is especially critical in certain professions – sharing your journey as an aspiring and growing web developer, publishing your analysis of industry trends or new papers as a psychologist or medical personnel, sharing some of your best photos from your latest hobby trip, etc. These are easy ways to create content that will hopefully suppress any future attacks while also growing your personal brand and establishing yourself as someone knowledgeable in your industry for perspective employers.

Now, as usual, the privacy concerns must be weighed here. Sharing photos means that people will have a general idea of some of the places you visit or even what area you may live in if you frequent the same spots. Posting about your industry means that people will know more about where you may work. Writing under your real name exposes your real name, obviously. Is this bad? Maybe. As usual, threat modeling plays a huge role here. For most people, I think it’d be a lot worse to have deepfake porn of you showing up on page one of Google Search, or a long blog post about how you were a violent alcoholic who beat your wife and took the kids in the divorce (untrue, of course). Establishing a positive, proactive web presence is even more powerful if combined with data removal (getting your true information taken off people search websites) and planting disinformation. This allows you to create a positive, plentiful online presence that showcases your good side and suppresses any slander while simultaneously removing any truly harmful information and planting fake information to throw people off the trail.

Conclusion

That said, establishing a presence isn’t right for everyone. Some people don’t want yet another online account to manage and have to remember to post content – even if it’s sporadic. Some people strive for digital minimalism or have very little to fear from a search of their names. That said, I do still believe strongly in the value of custom domains for data control: control your email, set up your own cloud, things like that. All this requires a custom domain, and you can always start easy now with a custom email domain and add in other stuff later (subdomains are a wonderful thing I use like crazy). No matter what your threat model, I hope this has helped share some ideas on how I would go about using these. Now go forth and take back control of your data.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.