Can someone read my E-Mail if I lose ownership of my domain?

Question

Let's assume I have a server set up with an email address like me@mydomain.tld. Now I have distributed my business card with the e-mail address to all people all over the world and they keep sending me confidential emails. But now I don't feel like paying for the domain mydomain.tld anymore.

Now if someone buys the domain and creates a mx record pointing to the his own mail server he can read all my confidential emails the people are sending me right?

No, I can't tell them to stop sending confidential mails because I can't contact them.

Are there ways to prevent that or is the only option I have is to pay for the domain until I die?

Answer 1

Now if someone buys the domain and creates a mx record pointing to the his own mail server he can read all my confidential emails the people are sending me right?

If they register the domain name, they will receive all email being sent to it from that point on. They will not have retroactive access to previously sent emails. There is nothing to fundamentally prevent this.

Are there ways to prevent that or is the only option I have is to pay for the domain until I die?

You can request that all contacts to you encrypt their communications with PGP using your public key, which will prevent anyone who obtains the domain later from reading new messages, but it requires people actually use PGP, which may not be likely if you are distributing the address to average people in a business card. However, if you maintain or at least renew the domain for, say, 20 years, then what are the chances that anyone is going to seriously send an email to such an ancient address?

---

I asked the question on the Law Stack Exchange whether or not there would be any legal recourse to someone using your domain, and the answer was no: https://law.stackexchange.com/q/35917/15724

Answer 2

As others already mentioned: Yes keeping a domain name is the only way to be sure that nobody is going to receive emails sent to there.

That being said:

Just keeping a domain is often cheaper than using it

Of course everything depends on the provider, but as I understand you currently have currently more than 1 service (domain name, redirect?, email server?, hosting space?).

When your only objective is to prevent others from receiving your emails, it is sufficient to only renew the domain name, and you can avoid the costs for any further service.

Answer 3

Assume someone will definitely buy your domain, as domain crawlers try to lock and resell, overpriced, domain names that people forget to renew. An MX record is not required in order to have mails delivered somewhere.

Thanks to @Criggie, if an MX record is not set, the Mail Transfer Agent will try to point to the root A record for that domain and open a connection to its port 25. So, the web server responding for the new buyer must also be capable of mail server.

Now, we need to estimate the odds that someone will effectively monitor the email address(es).

In my personal opinion, unless you are a person worth to target by a human interest, the best that the buyer company will do is just crawl sender email addresses for unsolicited bulk advertising purposes, namely spam. Not to inspect the real contents.

Update: non-scientific statistics

I tried to ping 5 of the domains I owned in the past. Out of them, one has been purchased in 2015 by what looks like to be a business whose name is meaningful to domain name, and they have set an MX record. The other 4 are not existent.

Are there ways to prevent that or is the only option I have is to pay for the domain until I die?

Use a long-term grace period

That means gradually decommission that domain. Keep it for now, e.g. renew for 2 years, but perhaps establish an auto-responder (or auto-refusal) email like

Greetings,

the email address me@mydomain.tld will be decommissioned by [2 years from now]. I kindly ask you to update your address book and send the email again to me@mydomain.biz.

For the privacy of both, it is important that you kindly implement this change as soon as possible

The last sentence explains the matter but is hard to understand for non-security-expert users.

I would expect emails sent to mydomain.tld will gradually decrease over time. Do not forget to update your business cards immediately and start using the new ones.

Eventually, there could still be someone, hopefully a handful, using your old email address after the grace period expires. What to do?

This is where maths come: put on a scale the total cost of lifetime ownership of the old domain name versus the economic losses that YOU will suffer in case a confidential mail is revealed to someone unauthorized. I said YOUR losses because if your customer/sender is a jerk and keeps sending sensitive material to the wrong address it may not be your business.

Comment

I don't personally like this question from the very beginning. ISPs, including the sender's, have full access to plaintext emails, some may be required by law to keep ("data retention") record for months or years. In the very end, plaintext email is not the best option to deal with sensitive contents.

Eventually, we trust major ISPs to protect our privacy. We trust them to...

Answer 4

Loss of domain name is actually one of the biggest security vulnerabilities that I see "in the wild".

It may not rate a symposium topic at Blackhat, but the threat has a gigantic surface area and high business impact, and is at the top of the list when I am briefing a small organization's Board of Directors.

So, if you're serious about a domain name, plan to keep it for life. If you're not serious about a domain name, don't put your email on it. That simple.

Don't treat your (serious) domain like an annual subscription

Domains can be pre-registered out up to 10 years ahead. My own domain expires in 2025, so I'm getting sloppy. :) Long before that I will revisit it and push it out to the max again. When I survey small businesses for domain expiry, I find only about half are set to expire more than 2 years out.

Domains are marketed in a way that encourages you to treat them like a magazine subscription or a Netflix membership, thinking they can just renew at any time. They lapse, and return a month later and find someone else has registered the domain for its cash value.

This problem is often caused by people bundling their domain name registration with their web hosting. Domains are a measly $12/year. They are often "tossed in for free" with an expensive $180 to $600+ hosting plan. That's great for the web hoster, as he controls your domain and can ransom it if there's a billing dispute such as a $2000 bandwidth overage due to blowing up on social media. If you lapse the web hosting for the wrong 30 day period, the domain can be gone for good. The hoster doesn't care and why would they sink money into registering it out a day longer than necessary?

How they profit by poaching domain names

When you let your domain lapse, and the grace period ends, in milliseconds it gets pounced on by at least a dozen different actors' automated scripts, all trying to do the same thing. Here's what it gets them.

• The ability to monetize (drive ads on) the organic traffic (links and bookmarks) to your web site, as well as any Google/Bing traffic while that holds.
• to benefit from the PageRank and other metrics which your site earned with search engines over the years. In the link economy of the Web, a link from a reputable site is worth its weight in gold. Web spammers use this to boost their spammy, scammy or lousy sites.
• To trick Google by directly hosting their junk content on your domain name.

• To attack organic/search visitors to the site with malware, Flash or PDF exploits, etc. They typically use older exploits to target people who don't keep their system updated.

  • One small company lost a site which reappeared with its earlier content. Really. The goal was to convince Google the previous owner was still in reputable control, because (they assumed) Google knew to watch for sudden content changes. A few pages were added advertising Acai Berry pills. See how this works? The site outranked the company's new real site for several years.* Normally web-spammers operate on a much larger scale than this with thousands of doorway pages, but this guy was small potatoes.

• To intercept email to your site simply to harvest email addresses.

• To use their control of your email to do password resets/gain control of your web accounts. They will discover your accounts at at smaller, less protected vendors when those vendors send their routine promotional emails.
• To sift through human email to your site looking for opportunities for con games or social hacks.

Answer 5

Yes, the scenario described is possible. As an example, it happened to Google in 2015 when they lost control of google.com, and Microsoft back in 2003 with hotmail.co.uk. Those domains got bought. For Google's case:

...He also received emails with internal information, which he has since reported to Google's security team, Ved said.

...His run of Google.com was short-lived though. Google Domains canceled the sale a minute later...

For Microsoft, who lost control of a domain for an email service, possibly putting thousands in the situation described:

[Microsoft] managed to contact hotmail.co.uk's new owner, grovel at their mistake and sort out the mess. By all accounts, hotmail.co.uk will be returned in a few days.

---

The only way to be sure that confidential emails don't leak is to own the domain indefinitely. However, as mentioned by usr-local-ΕΨΗΕΛΩΝ, you could balance your possible loss if a confidential email leaks versus the cost of owning the domain for a long time.

Practically, what you could do is replace your emails with the expiring domain on sites that you registered on. Also, inform your contacts to eschew your old email (or domain, or both).

As an additional step, hold on to the domain for a year or five and deliberately blackhole your MX records, so that senders who didn't get (or could not get) the memo would be greeted by errors. For Gmail, a sample would be

Answer 6

Yes, the new owner will be able to receive and read all your email. The only way to avoid this is to continue paying for the domain. It is not necessary to keep hosting - only pay the domain. If you prepay for 10 years, the price will be about $90 or less for .com domain. It is important to remember the expiration after 10 years and the password. If the domain is not com/net/org, the price will be higher.

Answer 7

Are there ways to prevent that or is the only option I have is to pay for the domain until I die?

Depending on who is hosting your email, you maybe able to setup an auto-responder.

Usually some kind of vacation responder is available. Either that or rule/filter can be the same thing.

If new email arrives reply "this account is no longer active please redirect your emails to ....." or "this is services is no longer available please discontinue sending emails"

Same thing with vacation responder.

https://www.rfc-editor.org/rfc/rfc1846

521 does not accept mail (see rfc1846)

I don't know if you can configure your mail server to do a 521 response or not.

Anyway after about a year of this everyone should get the idea and stop sending emails.

Answer 8

All the technical stuff has already been answered, but just to put a slightly different slant on it...

If you move house, you get your postal mail redirected to your new place, but not indefinitely. Eventually you have to assume that anyone important knows where you live and can send you mail there. And that if they don't then mail sent to the old address can potentially be opened by someone else.

I'd suggest it's the same with old domains - change your reply-to address so that it's the new domain, keep the old one for long enough to be able to reply to anyone sending you mail there, and put some effort into contacting everyone you want to stay in touch with.

Eventually, the mail sent to the old domain will trickle to nothing, and at some point along that way, you'll be happy to stop re-registering the domain.

If that point never comes, then you'll have to keep the domain forever, as others have said.