I suggest you ...

Allow root domain to verify subdomains

This idea can be broken down into two seperate ideas, I'd be happy with either.

1. When registering to monitor a domain that is a subdomain of another, for example subdomain.domain.com, the verifcation email should be able to be sent to postmaster@domain.com.

2. Allow an option to monitor a domain and all subdomains.

103 votes
Sign in
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Benjamin Maynard shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Password icon
Signed in as (Sign out)
  • MysticJ commented  ·   ·  Flag as inappropriate

    Completely agree with the need to able to monitor subdomains from domain.tld if I can proof to be in control of domain.tld. Disagree on sending the results of any subdomain to any address where the requester is not able to proof to be in control of THAT subdomain or the domain.

    Hint: mail addresses belong to an account stored on a server, so basically if you add a server named "mail" that account is created as account@mail.domain.tld. But that is certainly not a subdomain called "mail". I am not sure if the discussion and the offered solution is capable to cover that setup.

  • Martin commented  ·   ·  Flag as inappropriate

    This thread is about SUB-domains, not domains as such. I see nothing in the link below that suggest that you're able to get alerts on subdomains. We do monitor our main domain name, but the problem is that none of our users have the mail address that ends with our domain, only with subdomains.

  • D commented  ·   ·  Flag as inappropriate

    I'm concerned only with #2: Option to monitor a domain. If we leave the TXT record in the domain, then perhaps you could alert us when there is any new breach containing emails from that domain.

  • Martin commented  ·   ·  Flag as inappropriate

    Any suggestions to work around this?
    We have over 400 subdomains at the university where I work. Far from all have their own abuse address, and even if they had, it would be quite a bit of work to add them all. The torrent that recently surfaced showed us the scope of employees using their work addresses for private reasons, but I'd much prefer being able to contact users based on haveibeenpwned information. Especially since - as you stated on twitter - there is no way to know where and when the email/password combos came from in that particular dump.

    Thank you. :)

  • Magnus commented  ·   ·  Flag as inappropriate

    We are a university with hundreds of subdomains and there is no way we can register all with the domain search. To let a domain monitor subdomains would be fantastic.

  • Amivit commented  ·   ·  Flag as inappropriate

    I would really like to see this implemented as well. I own a domain with GoogleApps for email, and a "catch-all" that forwards all emails to my inbox.
    So when I register for sites, I use stackexchange@domain.com or facebook@domain.com for example.
    If I could be notified for any & all breaches for the emails on my domain, it would be amazing!

  • Anonymous commented  ·   ·  Flag as inappropriate

    Comment on 1:

    This is a bad idea for third level domain owners, such as mywebsite.co.uk, or someone with a free domain such as mywebsite.freehost.com.

Feedback and Knowledge Base