CustomersPricingBlogAbout
Changelog
Log inStart for free
Back to All
Added

New event field: `email.registered_domain`

1 day ago by Sebastian Wallin

Castle already provides the email.domain event field, reflecting the full domain from the email address. With this release, we're adding email.registered_domain, which reduces any subdomain to its registered part using the public suffix list.

Fraudulent domains often rotate across subdomains (a.domain.com, b.domain.com, and so on). registered_domain collapses those to domain.com, so you can match the registration itself instead of chasing individual subdomains. It handles multi-level TLDs correctly (example.co.uk stays example.co.uk, not co.uk), and since it's derived purely from the email address, it's present even when we've never resolved the domain.

{
  "email": {
    "address": "[email protected]",
    "domain": "a.sub.domain.com",
    "registered_domain": "domain.com"
  }
}

As with any email or string field, you can filter on email.registered_domain in Explore and build Policies around it, for example blocking a whole registered domain in one rule.