Domain Name Email Verification is Contact Validation, not Authentication
Dave Piscitello
To comply with ICANN and European Union NIS2 requirements, gTLD domain registrars must verify registrant email addresses. This owner email verification process was a topic of considerable discussion prior to and during the recent ICANN meeting. Virtually every accredited registrar has a FAQ page explaining this process, and nearly every registrar has an opinion of its utility or futility.
Certain registrars want the policy left as it is. Others want the 15 days shortened and used as an anti-abuse measure. Yet others question whether tightening email verification would reduce DNS abuse. Some community members propose that registrars should only be allowed to activate domains once email verification is complete. (I can only imagine the registrar reaction…)
ICANN is caught in a “failing to see the forest for the trees” situation: neither the findings nor the proposals address the real registrant verification issue.
Your verification succeeded but it didn’t prove identity
Verification is a method for establishing authenticity or integrity of a (user) identity, and in the domain registration context, the identity of a registrant. As formulated in the article, the question under debate assumes that email is a method that authenticates a registrant.
An email address verificaton is not proof of identity: it’s a confirmation of control of an email inbox. It only proves that someone (or automation) has access to that inbox at that moment.
You’ve knocked on the door. Someone answers, “Occupied!”
You now know the room is occupied.
But you don’t know who the occupant is,
when they first occupied the room, or
whether their occupancy is permanent or transient.
Email verification: contact validation, nothing more
Email verification can confirm that you reached out to a party or automation that controls an inbox and you received a response. That’s “contact-ability”.
Contact-ability is arguably the lowest bar you can set for any form of confirmation. It’s commonly used in “Email Before Download” arrangements to limit or track access to published content. It’s cheap to implement, scales well, but no cybersecurity professional would consider this an effective authentication method.
The limitations of email address verification are numerous
An email address cannot be undeniably associated with a natural person (or organization). There is an exception case - when cryptographic signatures provide non-repudiable proof of origin - but the general public and domain registrars do not typically use secure email (e.g., S/MIME, PGP).
No authority or government has established proof of identity criteria that must be met for its issuance of an email address. Anyone can create one or dozens of email addresses, free of charge. You don’t need proof of age, residence (nexus), incorporation, business presence or any legitimate evidence that the registrant is who they say they are.
Temporary, disposable, or alias emails erode what little verification value one might attribute to an email address. Many email services offer temporary or disposable email addresses. These are purposely used for anonymity or deception, or as part of legitimate criminal investigations (undercover work).
What cybersecurity professionals and investigators say about email verification
We asked prominent criminal investigators to share how they use email addresses and unsurprisingly, they exploit the ability to create an unverifiable but acceptable persona. One investigator shared that:
“As part of our research, I register accounts on hundreds of crypto investment scam websites a week. I own 20-ish domains and have a catch-all on all of them so that any email on any of the domains gets forwarded to my single webmail account that I share with my analysts… I have used thousands or possibly tens of thousands of emails to “Validate” myself on a huge variety of accounts.”
A cybersecurity colleague spoke to us about an investigation performed for a client into the use of free or temporary email addresses as usernames for accounts that were subsequently used for malicious activities (phishing, service misuse):
“We helped [them] map out a few hundred ‘free mail’ and ‘tempmail’ services that worked just like that. They found tens of thousands of accounts that were registered and ‘validated’ using emails of that type, and various researchers have collected them into “block lists” (my favorite currently has 6,933 domains that are known to be (or to have been) temporary email domains. Sadly, @gmail.com is just as easy based on the proliferation of captcha solving services, both AI-based and human-based.“
The last observation is significant.
Automation or AI can respond to verification emails. A script or an AI agent can search for confirmation emails (by origin, for example). By coding or instructing the AI to parse the content as a human recipient would, they can generate the necessary response.
Finally, an email confirmation is an “instance in time” response. You cannot know if the party that uses an email address today is the same party that used that email account at the time when the registration account was created (or any time between). Cybercriminals have hijacked IP address blocks by re-registering expired domain names to create email addresses used as contact information for delegated IP address blocks. Attackers can also identify a high-value domain name, look up the historical registrant email address, register the domain of that email address, and attempt a password reset to hijack a domain registration account.
Takeaway
ICANN shouldn’t burden an already exhaustingly long policy development process with debates over the existing and flawed verification method, but instead should concentrate attention on a uniform and effective registrant authentication method. Quoting one of our frustrated public safety community members and first responder:
“Investigators and criminals have known that email verification is a farce for years … do some honest verification work”.