Unicode Domains are bad

and you should feel bad for supporting them

Posted by vgrsec on February 19, 2017


I'm going to begin by caveating my opening statement by saying unicode domains improve accessibility to the internet, and that's a good thing, just unicode is so broad, there are many opportunities for lookalike domain spoofing, and that's bad.

I discovered during a discussion with @jaredhaight that unicode domains were a thing. We immediately joked about how bad this was, so I went about registering some test domains and ran some test cases to determine how well they were supported across various ecosystems. The following is an exploration of unicode domain names and how they're interpreted across various platforms as of Feb 2017.

Also thank you to @scholar_99 for help with the Android screenshots.

TLDR: Conclusion

My conclusion is this: unicode support is broad enough to make for some vicious phishing campaigns. There's some effective mitigations, googles outright blockage of unicode domains is probably the most aggressive, Microsoft's conversion to ASCII is functional. One thing I didn't test, is if my local language settings matched that of the unicode character used, if the unicode character would show instead. I think ultimately that's the only way to balance accessibility with security. IE: if my device is EN-US the character set displayed should only be EN-US characters.


So, first of all, not all registrars are setup to support unicode domain registration. I'm not going to suggest one over the other, it's just something to be aware of. (Cough, Dreamhost, my preferred hosting provider, does not)

All of the test cases you will see were performed with https://www.gṃail.com (Unicode) OR https://www.xn--gail-qd5a.com (ASCII) depending on unicode support. In case it's not clear is the naughty character in this story and of course, I'm obviously spoofing gmail.com.

I tried to find an email provider who’d let me roll with a Unicode domain, Microsoft, Google, and Zoho all said No, Yandex said yes, but failed after I tied the domain to their service. However, here’s something interesting, Google and Zoho's font calls out that my is not a standard character.

Thankfully, despite the big players saying no, the hosting company I registered my domain with, said yes.

I set up Outlook 2016 as my email platform, the auto configuration settings however converted my unicode domain to the ascii equivalent, however once the auto configuration wizard was done, I was able to go back into account settings and use the unicode domain.

I then went about testing different clients and email providers for support.

Receiving email from a unicode domain (Websites)

All emails sent from Outlook 2016, Web browser support tested in Chrome 56 for Windows. Note I've bundled outlook.com and office 365 support because they reacted the same way, no reason to provide an extra set of screenshots.


Emailing gmail from my unicode domain failed hard, some searching confirms this has been true since at least 2015.

host gmail-smtp-in.l.google.com []
SMTP error from remote mail server after end of data:
550-5.7.1 [] Our system has detected that this message is
550-5.7.1 attempting to use a domain name that does not meet our domain name
550-5.7.1 policies. Please visit
550-5.7.1 https://support.google.com/mail/?p=DomainNameError to review our Bulk
550 5.7.1 Senders Guidelines. m62si1920168oig.260 - gsmtp

Microsoft - Outlook & Office 365

This worked. Outlook/Office 365 displayed unicode in the inbox, however, once in the preview pane, or in the email itself it showed the name in unicode, but the email address as ASCII (Screenshots below)

Note Outlook/Office 365 was able to respond to the unicode domain.


This worked. Yahoo displayed unicode everywhere! The email address, the name, everywhere. (Screenshots below)

Note the second vgrsec@gmail.com was a test to determine why the email was highlighted in red

It turns out that if you try to reply to a unicode domain'd email in yahoo, it fails. That red wasn't a security warning, it was a validity warning.

Receiving email from unicode domain (Apps)

The unicode support in iosmail is great, just the best.

The unicode support in iosmail is great, just the best.

Since Windows applications largely rely on system fonts it's not surprising the unicode domain is supported throughout Outlook.

URL Support

URL Support for unicode domains appears to vary wildly. I'll sum up some tests and findings, then proceed with screenshots.

Slack-ios Converts unicode into ASCII
iMessage-ios Rrenders the unicode domain and provides a preview of the link
Text Message-ios Renders unicode domain.
GChat-ios/web Limited support for unicode domain.
The link appears to work for a short time, then the link breaks at the unicode character
Safari-ios Renders unicode domain
Chrome-ios/Windows/Android Renders unicode domain
Firefox-Windows Renders unicode domain
IE11 Converts unicode into ASCII
Text Message-Android 7.1 Renders unicode domain
Ghostery-Android Converts unicode into ASCII