>Using my Google Apps email address with a custom domain feels nice but it has a chance of being stolen if the domain server is compromised.
Sigh
I use Google Apps exactly so that I have control over the domain and aren't subject to the good will of Google. I had never thought of this particular problem. Now I don't know what to do.
This really boils down to who is a better sysadmin-- you or the Google SREs. Choose reliable and paranoid providers that actually verify your identity before shenanigans and you can mitigate the entry vector.
Yeah, I disagree with Naoki's conclusion. I'm pretty sure he just didn't have 2FA turned on with GoDaddy (which I understand - I didn't think to turn 2FA on with my provider until I read his story).
The real solution is to use a DNS registrar and DNS hosting that properly verifies your identity before allowing changes. Google Apps has nothing to do with it, and in fact has enabled 2-factor auth for a long time. Everyone should be using it.
Sigh I use Google Apps exactly so that I have control over the domain and aren't subject to the good will of Google. I had never thought of this particular problem. Now I don't know what to do.