A few weeks ago I received
an unsolicited email to help enhance my Search Engine Optimization (SEO) for one of my web sites. Honestly, I don’t remember which site, because I didn’t get much past the fact that this solicitation came from a Gmail email address.
First, let me state my view for context. I have run two businesses for many years – an information security consulting firm for seven, and an independent publishing firm for eleven. In both cases, one of the first if not the first step I took was to register a custom domain for each. I have always thought of this as a basic business necessity. It’s a very low cost of doing business and it provides an initial sense of professionalism that a public email address (e.g., gmail.com, outlook.com, and even AOL.com) cannot convey.
I thought that everyone who was serious about starting a business did this. Yet that SEO offering was the latest in a string of unsolicited emails from self-professed firms (not individual subject matter experts) with these generic, public email addresses. I was unsure how my view aligned with others, hence this poll.
The Poll
I created a poll in a post reflecting what I was thinking in the moment: “A Gmail or similar public email address screams unprofessionalism to me. I never consider doing business with any who are promoting services. A custom domain doesn’t cost much. Do you agree?”
In the poll text, I neglected to add “and similar public email addresses”, an omission which did cause some confusion. The poll categories and their results are below.
Do you care if a potential business partner/provider uses a Gmail address for business communications? If so, why?
Do you care if a potential business partner/provider uses a Gmail address for business communications? If so, why?
Yes, it is unprofessional. 31%
Yes, it’s a security risk. 18%
No, doesn’t bother me. 48%
Other (explain in comments) 4%
I was somewhat surprised that the aggregate of “yes” responses wasn’t higher, and that nearly half saw no issue with using such email addresses. But, as the comments came in, I realized a significant flaw in my poll. I was not clear that my intent was focused on businesses, not individuals. Several responses indicated an incorrect assumption that my intent was such addresses were inappropriate for other professional communications, such as applying for a position. I absolutely do not support that.
Others thought I was dismissing the usefulness of Gmail completely, which was also not my intent. I was focused solely on email addresses with the public email domain. One can easily procure a custom domain and leverage a Google account to include emails with the custom domain name.
A few thought I was advocating for standing up a self-hosted email server. For most SMBs, that’s simply not a good alternative. The administrative and potential security tradeoff, not to mention the needed skill set, is not worth it. As one response put it, “Interesting subject, think some have missed the point with the custom domain. Not a question of having to host email services. Just simply using a custom domain.”
These issues likely had a significant effect on the poll, skewing more votes to the No option. They also reminded me of the need to be as precise as possible when constructing a poll. The effect was particularly magnified in this one, which went somewhat viral with over 400,000 impressions and 5,000 responses. They also likely had a significant effect on the poll, skewing more votes to the No option.
SMB Considerations
What does this mean for small and midsized businesses? As I was crafting the poll I realized there are also significant information security implications of using generic domain addresses. A simple one is they are more likely to be caught in a spam filter.
Conversely, as one response noted, generic domain addresses are also much easier to impersonate, or I would clarify perhaps give the impression of impersonating, for scamming or phishing. Another respondent expanded on this: “One of my personal concerning scenarios when dealing with gmail accounts/addresses. Anyone can impersonate your address scheme. From my outsider POV company-user-1@gmail is going to hold the same weight as company-user-54@gmail.”
A more potentially impactful outcome is the difficulty to defend against. From one response, “It’s easier for the authorities to shut down a scammer’s domain and/or folks to blacklist them than to do the same for bogus gmail (or similar) accounts.” For that reason, many organizations opt to ban or heavily restrict public domain email addresses. Conversely, it’s easier to manage white listing by domain than by individual email addresses.
Additionally, as one respondent noted, “You should always own your email address (business and personal). If tomorrow you’re not happy with Google’s privacy policy or they decide to boot you for whatever reason, you can take your custom domain elsewhere (just point your MX records to the new provider)…”
Several made the case that for small businesses not involved with information security or technology such addresses may be appropriate. I agree with this to an extent. For example, for contractors who have performed work on our house, when there was a non-custom email address it didn’t concern me.
Still, there is perception to consider. As one put it, “In my opinion you are representing your brand, represent it and be proud of it!” But others pointed out that while not expensive, for SMBs already with razor-thin margins, funds for custom domain names may be better directed elsewhere.
What’s the best direction? Perform a risk assessment. Does your business and brand stand to benefit from a custom domain or not? List the risks both pro and con for your business, using available resources including the information presented here as a guide, because there is no one size fits all. But you, as the SMB owner or executive, need to be informed of the risks of all options to make that decision.