They have a point though, when you rely on a domain you’ve gotta be cautious. If I buy your domain when you forget to renew it I can then do password resets against any accounts you used an email on that domain with.
It would be nice if web services offered an option to disable this misfeature per account, or better yet offer to upload the user's PGP key and encrypt all outgoing email with it, incl. the password reset email.
