0

I'm new to this and I've read a tutorial on this page: http://www.melyssagriffin.com/use-gmail-custom-domain/

The author of the tutorial wrote about her experiences of setting up a custom domain name in her e-mail address for her webpage so something like office@mywebsite.com. Now, what I don't understand is how the confirmation process works i.e. how the email provider verifies that I really own the domain. And this seemed weird to me - Gmail only requires that the owner of the website puts some unique HTML code on their website as a confirmation. What surprised me is that there was no third-party involved. Nobody contacted for example the company who registered the domain (e.g. GoDaddy) or anyone else. It seems to me that a Gmail bot just scanned the webpage, saw the pasted HTML code and basically said "ok, you're good to go".

So what does prevent me from becoming a new email provider and setting up an email with an already taken domain like mymail@google.com or mymail@reddit.com?

George
  • 271
  • 2
  • 6
  • 3
    And how would you go about putting a specifically crafted HTML string in one of Google's files? I'm quite interested frankly. – MadWard Jun 09 '16 at 15:18

2 Answers2

3

In short: You cannot simply set up a rogue Google or Reddit e-mail server, because DNS.

E-mail clients and servers rely upon DNS in very much the same way most web browsers and websites do. When a node has a package that requires delivery to an address at domain.tld, that node will first query their DNS servers to retrieve the MX record for that domain. The MX record, in turn, points to the registered IPs or hostnamefor the e-mail servers for that domain.

Even if you set up your e-mail server, and configured it to accept mail for domain.tld, it would never receive mail for that domain unless the person in control of the domain's DNS included your server in their MX records. Of course, there are ways that DNS could be spoofed or a system could be pointed to a rogue DNS server. But those are beyond the scope of this discussion.

Aside from making sure you're not trying to set up a spoof mail server, the dependency upon DNS is another reason Google and similar services require this type of verification for custom domains. The verification process requires that you post a unique string in a location which requires a DNS lookup to reach. If the service provider can verify that you have posted the string there, then they know that you at least have control of the DNS records for that domain.

(Whether control of those records was legitimately obtained is, to a certain degree, not their concern. It's largely up to the DNS provider to make sure unauthorized users cannot modify the records.)

If you don't have control of the DNS records, then no e-mail provider will be able to service your custom domain. Thus, why would they go through the trouble, and expend the resources, to set up a server that won't provide the functionality their customer expects?

Iszi
  • 26,997
  • 18
  • 98
  • 163
0

Since the site is on the domain, it bears reason that the owner of said domain, or an administrator of said domain, will have FTP access that allows them to modify the site and paste the code-key into the webpage.

In regards to the google.com or reddit.com options, you'd have to be able to modify the site (probably the www.google.com/index or www.reddit.com/index pages specifically) to be able to gain access. Can you? No? Then you must not be the owner of the domain.

Desthro
  • 1,007
  • 5
  • 5