To my knowledge, there's no common standard for sysadmins to publish trusted domains for specific use cases.
If it exists, I would presume that this might limit phishing attacks. Think of my question here as an extension of SPF/DMARC/DKIM, where you go beyond simply saying what domains are authorized to what each domain should be used for.
For instance, if I delegate support desk to zendesk.mydomain.com but Zendesk gets hacked and starts sending fake forgot password emails, you can mitigate that by telling email providers that zendesk.mydomain.com isn't designated for that purpose.
Beyond the infosec concern, I think this would yield some user experience benefits as well. Thinking of myself as an end user, I would want this feature so that I could proactively manage my inbox when signing up for a new website such as marketing emails, policy change announcements, order receipts, forgot password emails, etc. Without an official record to check, you have to guess. And even if you guess right, a sysadmin can change email addresses without giving any notice.
To illustrate the idea I'm looking for, there's a couple solutions I can think of that could achieve this:
robots.txt
to suggest how bots engage with web content./.well-known/security.txt
for contact info and standard operating procedure to notify admins of infosec concerns.
Would anyone happen to know of a solution that fits this use case? I feel like it's such an obvious thing that there should be something out there even if it's not exactly like the examples I've mentioned so far. Also interested to hear what problems or concerns complicate this idea.