Email Communication Links Look Like Phishing

nstill

We work hard to help our staff have a healthy suspicion of emails that contain links that don't go to the right place. I understand that marketing companies (retail stores, etc) might use strange domains to track clicks that forward to the correct location (essentially forcing the user to click the tracking link to get to the right place) but for security focused companies (like 1Password), I would expect that an email purporting to come 1Password would only contain links to 1Password.com (or 1Password.ca - if the user is hosted in Canada). The use of 1Password.co smells of phishing and, while after doing quite a bit of digging, I did find the article on 1Password.com explaining that 1Password.co is a marketing domain for 1Password, I still think this cuts against the security culture and posture we want users to have when using and interacting with a password manager. My request is that either (a) you don't use tracking links (so just take me straight to the 1Password.com/1Password.ca URL) or (b) implement your tracking on a 1Password.com subdomain so the links still look valid.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Dave_1P

Hello @nstill! 👋

We do indeed use the 1Password.co domain for marketing emails. You can find documentation here (it sounds like you've already found this article): 1Password email and marketing domains

My understanding is that a different domain is used for third-party marketing tools such as Marketo in order to sandbox those tools from the 1Password.com service for security and privacy reasons. That being said, I can see how using different domains can be confusing and I've passed your feedback along to the team internally.

-Dave

ref: PB-43551746