Table of Contents


One thing that frustrates me endlessly is major companies’ obsession with using countless domain names for public-facing websites and services. What do I mean by this? Companies should be using one root domain for public services and stick with it.

For example, I think Google does a great job at this (for the most part). If I want to view my Google email, I go to If I want to look at my Google photos, I go to If I want shop Google hardware, I go to This builds trust that if you’re visiting a Google service, the root domain should be, and helps to easily point out phishing attempts. A URL like immediately stands out as being phishy (pun intended) as it doesn’t contain

On the other hand, let me login to my university Office 365 account portal, and tally up the root domain names of the services listed:

Some of these even look like phishing domains. Just for fun, I looked at similar domains for sale to see how easy it would be to just buy a similar looking domain.

A list of Microsoft video-related domains for sale
Just a quick search on Google Domains.

While is taken (and fun fact, does not take you to a Microsoft site) many similar domains like are for sale and could easily be abused by phishers. Who could blame users? It looks just as official as a real Microsoft site.

My point is, this seems ridiculous. How are normal users supposed to remember that all these different domains are controlled by Microsoft and are actually safe? Now, I understand the need for cookie-less CDN domains. But all the domains I just listed for Microsoft are right on the Office 365 portal as the “official” link to get to various services.

Microsoft has so many domains, they even have documentation on the lists of them for Office 365 and Windows so that administrators know what to whitelist in their firewalls. A brief selection of root domains:

Clearly, not all of these are owned/controlled by Microsoft, such as the certificate domains like or vendors like, but the vast majority are definitely owned by Microsoft. And good lord, is that a lot of different domain names.

While Google is certainly better (especially for their consumer services), they still have their fair share of confusing domains. Off the top of my head: (only domain with a dash?)

(I’m ignoring their public cloud domains like and

In conclusion, please use just one root domain for public services. It decreases phishing potential, promotes brand consistency, and makes it easier for regular users to identify official sites.