Custom email domain: threat model & pros/cons?

If I were to use a custom email domain from say Cloudflare, and connect it to my proton/tuta accounts, what privacy/security am I loosing?

What I could think of:

  • the domain could be seized if I don’t use my legal name, so I will be locked out of accounts
  • correct me if I’m wrong, but it seems there is an easier chance to do MITM attacks for it?
  • potentially lower privacy since there are paid services to extract whoami from domain registrants

I could really benefit from easier email transfers to a new email service provider (for example, I’m way too invested in proton ATP, and it’s really hard to swtich), but I’m just trying to make a more informed decision

I use this all the time. Love it.

I’m not sure how likely it is for a domain to be seized… so I can’t really comment on that, other than to say I’m not personally worried about it. If someone is seizing my domains, I probably have bigger problems. But you can easily hide your name and contact info - it’s a WHOIS privacy service. Some registrars charge extra for this - some don’t, like Hover.

I’m not sure why there would be more exposure to MitM attacks - if you have a particular attack in mind, please explain. You are responsible for setting up your DNS entries for routing email for your domain to your chosen email provider, but that’s not an exposure.

For privacy, see my point above.

Domain getting seized are very, very rare. Hosting website, especially commercial site are a different story though. Dmca and copyright weaponised by competitor, and for user generated content sites theres also problem of dickheads sabotaging by uploading csam then self report etc etc. Obviously sending spam will be seized or suspended too if got report, those “cold email outreach” mass spam operations. Domains for personal email usage the chances to get in trouble are close to zero.

The odds of your domain being seized if you do not use it for illegal activities is near zero. You can also simply use a domain service like njalla, incognet, etc to own the domain in their name, and at that point you bear a near-zero risk. This is especially the case if you are simply using it for email and won’t be doing anything which will prompt bigger authorities to send complaints to the registrar.

For privacy, just depends who you are using for registrar. A lot offer privacy services to hide info from whois - cloudflare offers this too iirc. I honestly don’t remember the last time I ran a whois query where any contact info was public