[burrows]

Seems like the author is making a reasonable point to me. The risk profile for a gmail email address and a custom domain email address are different and developers may benefit from understanding this difference.

I don’t think he’s attacking the character or intelligence of people who use custom domains, he’s pointing out a gotcha that they may not be aware of.

[jmull]

You're giving the article more credit than it's earned.

Indeed, a developer should understand the risks and benefits associated with using an email address on domains they control vs. domains someone else controls.

Too bad the article doesn't make that point.

(Seems obvious to me that a domain you control is less risky since the mitigations are relatively straight-forward and reliable, while for a domain you don't control, you really don't have any reliable mitigations if the domain owner decides to shut you down. Not to mention that a third-party domain also has the risk of expiring or being highjacked. A third-party domain only makes sense if you want to trade risk for dollars: a cheaper or free email address for a greater risk of losing control of the email address.)

[tjoff]

Having your own domain shoulders you from google or any other mail provider. Surely that is vastly better.

[burrows]

We can do a risk profile for an email with a custom domain versus a gmail domain.

Do we need to differentiate between custom email domain with self-hosted mail server and custom email domain with gmail?

If I self-host the mail server then I’ll have a machine running on digital ocean or ec2 and this machine will accept connections from the Internet. I think this machine should be included in the assessment. So now the risk of a custom email domain depends on when/how I apply patches and how ssh access is configured?

[tjoff]

That is like a fraction of a fraction of a fraction of people with own domains.

I don't think that's relevant, at all.

[burrows]

Could you please clarify your point? I don’t understand the comment as is.

[tjoff]

That we don't need to differentiate on that level.

We'd first have to differentiate people that write their password on post-its in an open environment. People that have the same password on all services etc.