Right now that’s an email to an address listed in whois, and I’m happy to go in and click that link annually.

I don’t need to create any new and operationally unnecessary attack surface to prove that I control the domain.