Wouldn't the better guidance be to use different domain for official communication similar to sites where you can customize the subdomain? Attackers can always come up with something you didn't think to block.

Google doesn't let just anyone make a mail on the google.com domain for example.