All users are equal. Some users are less equal than others.

If your service or organization provide email to your users, there are certain usernames that you should be reserved.

This article goes through the different usernames that you should disallow your users from using.

Email validation for SSL certificates

One process to validate ownership of a domain is by email verification. You often can chose between usernames listed in your domains whois-record, or from a list of usernames.

The consensus for most SSL-providers seems to be the following list of usernames:

  • postmaster @domain.com
  • webmaster @domain.com
  • hostmaster @domain.com
  • admin @domain.com
  • administrator @domain.com

But this is not true for all SSL-providers. CERT KB 591120 writes that the provider SSLHost allow these additional usernames to verify the ownsership of the domain:

  • ssladmin @domain.com
  • root @domain.com

2018-09-21 - root and ssladmin is still listed as valid users at https://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SSL-certificate-order.html

Reserved usernames in RFC2142

RFC2142 describe standarized usernames for contacting personal at an organization.

Network operations mailbox names

  • abuse @domain.com - Inappropriate public behaviour
  • noc @domain.com - Network infrastructure
  • security @domain.com - Security bulletins or queries

Mailing list administration mailbox

  • list @domain.com
  • list-requests @domain.com

DOMAIN NAME SERVICE ADMINISTRATION MAILBOX

  • hostmaster @domain.com

Autonomous System Mailbox

  • as1234 @domain.com - Example for AS number 1234

Business Relatd Mailbox Names

  • info @domain.com - Packaged information about the organization, products and/or services
  • marketing @domain.com - Product marketing and marketing communications
  • sales @domain.com - Product purchase infoiormation
  • support @domain.com - Customer Services