If your email address ends with a domain name that you don’t own, you’re doing it wrong, and professional people are laughing at you.
Receiving email at your own domain is table stakes for adulting online, and has been so for years.
The reasons are plenty, but here are the few obvious reasons why using someone else’s domain as your canonical email address is a terrible idea:
Now, some of the above will remain a bit of a problem (in some instances) even if you use your own domain (such as when corresponding with people at gmail.com, et c), but, critically, if you’re using your own domain with decent hosting, when you communicate with others also so configured, you manage to dodge almost all of these issues.
A society under surveillance is not a free society, so opt out of using a provider that spies on you, or aids others in spying on you.
I heartily recommend that you use ProtonMail. I’m not affiliated or otherwise receiving compensation of any kind for this recommendation, it’s merely a professional opinion based on an evaluation of their service and engineering.
Do not assume that my recommendation means that email, hosted by anyone, is thus “secure”: it is not. By choosing a decent provider, it’s just less likely to end up in your FBI permanent record by default.
You will need four things:
Here’s how to do it.
Step Zero: Be using a password manager, and use unique, random passwords for all of the following accounts. All password managers suck to varying degrees, and I don’t have a good recommendation here sadly. I personally reluctantly use Bitwarden in a complicated and annoying self-hosted configuration. Almost any password manager, however, is better than no password manager.
One, set up a special ProtonMail account (@protonmail.com, yes, an exception to the rule) for administering your personal domain name and dns and email hosting accounts. This is the only purpose this account exists, you will use it for nothing else. You may use a random username, such as a84bd6df8a17@protonmail.com, which is probably available if you hurry, because I just made that up. This fulfills requirement #1.
Ensure that 2FA (two-factor authentication) is enabled on your administrative account at ProtonMail.
The reason for using an external email account for your domain’s registration and hosting is so that you can still access/reset these accounts should something go wrong with your domain name registration or email hosting (e.g. expired credit card) that temporarily renders the domain inoperable. If there’s a problem with your domain or email hosting, you can’t receive emails to email addresses at that domain, which locks you out of the whole setup. Again, this is the only purpose for this account.
Two, choose a domain name. Use an online WHOIS tool to ensure that your chosen domain is available. Don’t choose a domain under a top-level domain (TLD) like .ae or .vegas that censors domains based on their content, otherwise your domain registration itself might disappear from underneath you one day. Not all TLDs are created equal. Watch out, in general, for theocratic or authoritarian country code TLDs. .coms are as good as ever; .name and .email and .computer are all also good, as are city-specific ones like .berlin or .nyc or .tokyo. Some opt for .co as a shorter .com alternative, and .io and .dev are popular in the hacker community. In any case, always read the terms for your chosen TLD carefully, because some reserve the right to cancel your domain if you ever use it to publish anything unflattering about the named locale. Recall also that country code TLDs can be used to create neat domain hacks (such as my domains acidhou.se, coinpur.se, or featur.es, or djb’s famous cr.yp.to).
There are now fucking shitloads of new TLDs, which means that getting a good, easy, short, memorable domain is relatively easy, considering the sheer number of TLD options. Spend a few minutes and choose carefully, this is going to be a part of your public identity for the foreseeable future, and can also simultaneously be used for your website, in addition to being the second half of your email address.
I have used nameboy.com in the past to find interesting domains to buy.
If you can’t think of a good one, email me and I’ll sell you stupid.company or one of my other unused joke domains for (relatively) cheap, just so they stop rotting unused in my account.
Whatever you do, just don’t register a hyphenated domain, as that’s even worse than a hotmail.com email address.
Three, choose a registrar. This is the company that will create the domain for you. Note that this has nothing to do with the hosting of the domain.
Registrars are mostly created equal, except for the fact that you should never use GoDaddy because they will fuck you over and delete your domain arbitarily. There are some fringe ones that are really quite shady (like frontrun-your-registration-shady) but you’ll likely not encounter those. I use joker.com and several others (not all registrars support registrations for all top-level domains). I once met the guy who runs iwantmyname.com.
Four, create an account with your chosen registrar. When you create your registrar account, use the special random @protonmail.com email address you set up in step one.
Ensure that 2FA (two-factor authentication) is enabled on your account at the domain registrar. If your registrar doesn’t support 2FA, stop and go back and choose a different one.
Five, register the domain. For domains that I plan to use on long-term things (such as domains for email addresses), I like to do 10 year registrations, although any period of time is fine. Don’t use your home address or direct cell phone number in the domain registration, because this information will be public. This satisfies requirement #2 above. Don’t sign up for anything else with your registrar when you register the domain.
You should generally pay under $20/year of registration, unless you picked some fancy new TLD that exists only to charge expensive registration fees. Perhaps it’s worth it for your personal brand, but it’s not strictly necessary. If you’re on a budget, any cheap TLD will serve just fine.
Six, create an account with CloudFlare which will serve as your DNS host. They are reliable, trustworthy, and will do this for free. When you create your account there, use the @protonmail.com account you set up in step one.
Ensure that 2FA (two-factor authentication) is enabled on your account at CloudFlare.
Seven, add your new domain name to CloudFlare. This will involve taking two nameserver addresses from CloudFlare’s hand-holding process underneath the “Add a Site” button, and inputting them somewhere in your domain registrar’s settings, usually under a setting called “Custom Nameservers”. Now you have DNS hosting (free courtesy of CloudFlare) which satisfies #3 above.
To check the nameserver settings for your new domain, you can run a command like host -t ns example.com where example.com is your new domain. If you’ve done it right they should point to the two nameservers that CloudFlare gave you. Depending on TLD and registrar these changes could take between 5 minutes and 24 hours.
Eight, create another brand new ProtonMail account to be your new email daily driver account. Again, the username doesn’t matter much, but you may wish to go non-random for this. Using your domain name (minus the dot) as your username isn’t a terrible idea. Go into the settings dashboard, and upgrade your plan to at least the Professional plan, which is $8/mo, $75/year (-20%), or $129/2year (-33%), so sign up for two years.
Ensure that 2FA (two-factor authentication) is enabled on your daily-driver account at ProtonMail.
Nine, take all of the DNS records provided to you by the ProtonMail add-a-domain process, and input them into your CloudFlare DNS settings for the domain. I suggest specifying a 2 hour TTL on the DNS records you input, and make sure that any records added (such as CNAME) are set to “DNS only” in the CloudFlare settings. The most important ones are the MX records, but do everything that the ProtonMail domain adding hand-holder boxes tell you to do, which will set up a bunch of shit you don’t need to care about, like SPF and DKIM.
Ten, wait for ProtonMail to tell you your domain is now active, which should take under an hour. While you’re waiting, install the ProtonMail mobile app and get logged in. If you want to use native IMAP email apps like I do (such as the built-in Mail.app on macOS, or Mutt, or Thunderbird, or whatever) you’ll need to install the ProtonMail Bridge app on the computer running the native email client. (You can even review the code, if you’re into that sort of thing.)
Sadly, this means that you can’t use the native iOS mail client (“Mail”) with ProtonMail, because they don’t support plain IMAP (due to storing all of the email messages encrypted on the server). You have to use the ProtonMail app on mobile. If this is a dealbreaker for you (and I can understand if it is), you’ll need to choose a different email host other than ProtonMail.
Eleven, you’ll want to create an address at this domain in your ProtonMail settings (Settings > Addresses/Users). Once you’ve created this user, go to Settings > Domains and make sure “catch-all” is checked next to it (which is why you created a Professional account and not a Plus account). This means that email sent to anything@example.com will make it into your account.
This will be your main email address from here on out. Presuming you registered sneak.berlin, and your name is Jeffrey Paul and your username is sneak, use something like sneak@sneak.berlin, or jeffrey@sneak.berlin, or me@sneak.berlin, or whatever you find pleasing.
In your ProtonMail account settings, under Account, down on the bottom left there is a list for Address Priority. Drag your new canonical email address you’ve just added to the top of the list, which makes it the default, so it is used for the From address automatically for all of your outbound messages from that account.
Twelve, log back into your first ProtonMail account you created in step one, the non-upgraded free account you are using only for domain and hosting administration, the one with the random username. Go into Settings, and change the “Reset/notification email” to your new email address at your new domain, and make sure that the “Daily email notifications” setting is set to on. What this does is send you an email at your main email address if you get any emails to this administration-only mailbox, so you know to go and log into it and read them. This is important because if your credit card expires or there’s some other impending problem with your domain name, they’ll be emailing that administration address to tell you, which, if all goes well, you will practically never be logging in to or regularly checking.
Congrats, you’re now adulting on the internet.
It’s now safe to put your email address at your own domain onto business cards, vinyl stickers, and the like, because the number of circumstances that could force you into having to change it are vastly reduced.
There are a few cleanup steps now that you’re up and running.
First, back up your password manager database, and ensure that the password for accessing it is safe. You’ll want to take steps so that you can retrieve this backup and the password to it even if your house burns down. Once you change your password manager account’s email over to your new domain name, you don’t want to accidentally lock yourself out if there’s ever an issue with the domain, because then you’d be proper fucked, unable to access the domain settings.
If you don’t use a password manager (and, I repeat, you should be using a password manager), replace this step with creating a text file with all of the usernames, passwords, and 2FA seeds for all of these accounts, and print it out or otherwise store it somewhere both safe and reliable. It’s the keys to your kingdom, because control of your domain and email accounts means one can reset the passwords on all of your other accounts. Use a password manager.
Now we come to the aforementioned ‘time-consuming nightmare’. Do this once to your own domain, and you’ll never have to do it again, even if you switch providers in the future. Here’s a trick to make it less painful:
Every time you receive an email into your old email account from some app or website, go and log into that app or website and change the email address on your account at that app or website to your new one, until nothing continues to arrive in your old inbox. This will be a process that continues over months or years, but should be the last time you ever need to do this, because if you ever move email providers again sometime in the future, your email address comes with you, and you won’t have to update a bazillion accounts everywhere now that your email address is permanent.
One upside to this is that if you’ve only recently adopted a password manager and all of your sites aren’t yet in it, you can also take this opportunity to change the password on each of these accounts (to a long random unique one, stored in your password manager) at the same time you update the email address.
Remember that you specified “catch-all” in your email address setup in ProtonMail. This means that an email sent to any username at your domain name will get delivered to you. This gives you the option of providing a unique email address to each and every service you use, which is nice because then you can filter them individually. For example, when you change your email address at, say, amazon.com, you can switch it from johnsmith@gmail.com to amazondotcom@johnsmith.com (even if your main email is john@johnsmith.com).
This makes it super easy to set up a folder in your inbox and a rule that moves everything with a “To” address of amazondotcom@johnsmith.com into that folder.
If you do this with each and every site you sign up for, then when you start getting spam or other unrelated crap to a specific address, you now get two things: one, you know who sold you out, so you can stop doing business with them, and two, you can create a rule to trash all of the inbound messages to shadycompany@johnsmith.com and cut off their access to your eyeballs.
Some of you may be doing this already with the plus trick on public email hosts, such as username+whateversite@gmail.com. The problem with this is that the plus trick is well known, and people who trade in emails and harvest personal data simply strip out the plus tag, so you get little benefit from this.
Having unlimited unique email addresses is also handy for things involving free trials, the exploitation of which is an exercise left to the reader.
If you want to move all of your old emails from your previous account into ProtonMail, they have a special app with detailed instructions that will take you through that process. For other email providers, it’s as straightforward as adding both old and new accounts to your IMAP email client, and dragging them between the mailboxes. If you go that route, do only about a thousand messages at a time, and wait for it to complete before dragging over more, and make sure you’re moving them and not copying.
Last but not least, if you’re into anonymity or pseudonymity online, and would like to preserve a wall between your online identity and certain IRL tasks that require an email address as well as government ID, you’ll want to go and repeat all of the above steps, including step one, with a different domain name for your government ID name. (It need not have your government ID name in the domain.)
Then, when you do things that involve your government ID, such as booking a flight with an airline, or opening a frequent flyer account, purchasing health care, applying for a customs speedpass, opening a bank account, or opening a KYC-related cryptocurrency exchange account, you’re providing them with an email address at a domain name that is not related to your online identity, reducing the likelihood of your getting doxed when that vendor’s email-to-full-name database gets leaked and published to the web. Anyone remotely well-known online tends to attract attention both positive and negative, and you don’t want web searches for your well-known public domain name to turn up PII dumps related to your home address or offline identity.
You might think this isn’t that important, but all of this information gets sold in bulk to data brokers and is available to thousands of people, so it’s best to use entirely separate accounts and domain names for these purposes. Duplicate the whole stack: admin account, registrar account, DNS hosting account, mail hosting account. Don’t cross the streams.
Additionally, you may wish to set up another (possibly third) stack here as well. It may be safe to reuse the same admin/Registrar/CloudFlare accounts for this one, but get a new domain and email box for this third one. Let’s call it the “accounts” email address.
The idea is that you set up a catchall for one domain, say, mysignupexample.com, and then you provide an address at that domain as a username to all of the services that you use. This is your email-address-as-username, and it will will primarily receive messages sent by computer programs (most of the email currently in your inbox, I assume). You don’t tell human beings this email address, it’s your username for accounts.
Then, on a different domain, and different email address (likely the one you set up first), you define your personal correspondence email address. This email is your personal email address, and you don’t ever give it to services or use it for accounts. You put this on your card, or provide it to other human beings directly. People, when they write you, write you at this address.
This has a few major benefits:
You can, of course, simply set up different email addresses at the same domain in your ProtonMail account, or add two domains to one ProtonMail account. (The “Professional” account cost includes up to 2 domain names attached.) Personally, I prefer to keep them in entirely separate accounts, as a security boundary (a potential compromise in one does not affect the other).
I actually have about a half-dozen different email accounts, each hooked up to their own domain name: a personal correspondence email address (sneak@sneak.berlin), which you know, an “accounts” email used as my login for most services (you may be able to guess this one, but I don’t publish it), my corporate email address, used exclusively for things related to revenue generation and for-profit work (jp@eeqj.com), one that is used exclusively for health care and immigration, and a few others used each only for a specific, defined purpose.
It may sound like a hassle, but it’s actually simple and straightforward once you spend the hour or two setting each one up, and then you can forget about it until it comes time to renew the domain or hosting.
If I were to sell one of my companies? Everything is already separate, and all of the accounts for that specific company are set up at that company’s dedicated domain name: no settings need be changed. Start a new company? Register a new domain, set up a separate email account. Get subpoenaed in a lawsuit? Any compelled records production, no matter how broad, is unlikely to include my medical or immigration records. Get tired of my email host? I just need to change my MX records in DNS and move my old mail over, and don’t have to screw around with changing settings at a thousand different accounts ever again.
I wish you luck. Feel free to drop me a line if you run into trouble, and I’ll do my best to help you out.
Jeffrey Paul is a hacker and security researcher living in Berlin and the founder of EEQJ, a consulting and research organization.