What Happened
My GitHub account was flagged by their automated abuse detection systems, blocking GitHub Actions and third-party authorizations. I navigated directly to support.github.com, completed the appeal form, passed SMS identity verification, and received a confirmation. Standard process. Then, within hours, an email arrived from a sender displaying as GitHub Developer Support.
The email was addressed to me by name. It cited my portfolio URL as the specific reason for the flag. It referenced a real ticket number — 4161662 — and contained the formatting, language, and structure of a legitimate GitHub support response. It came from developer@githubsupport.com, signed and TLS-encrypted.
I am currently studying for CompTIA Security+ and have been building threat analysis reports as part of my professional cybersecurity portfolio. I applied standard domain verification methodology. githubsupport.com is not github.com. A GitHub community post from 2024 stated explicitly that it was not a legitimate domain. I concluded the email was a phishing attempt and began documenting it as a case study.
The investigation that followed revealed something more interesting — and more troubling — than a phishing attack.
The email was real. The ticket was real. The agent was real. githubsupport.com is GitHub's legitimate support email domain, documented in their official docs. I had done everything right and reached the wrong conclusion — because GitHub's own community had been giving the wrong answer to this question for over a year.
The Investigation Timeline
GitHub's automated systems flagged the DevProgressChallenge account. I submitted a reinstatement appeal through the official support portal, including SMS verification. A genuine confirmation email arrived from GitHub. Ticket #4161662 entered the queue.
An email arrived styled as a GitHub support ticket notification. Agent "Sophia Hayes" asked for more context about how I planned to use GitHub. The email referenced ticket #4161662 and contained a link to view the ticket. Sent from githubsupport.com, signed and TLS-encrypted.
I replied twice through the email thread — once noting I had explained my situation in the original submission, and once asking for help resolving the issue. Both replies went to developer@githubsupport.com. No response for six days.
After ten days of silence, a response arrived from "Jay — GitHub Support." It cited my portfolio URL as "promotional content" violating Terms of Service and requested I remove external links from my profile and reply to confirm ToS agreement. The email contained what appeared to be an accidentally exposed internal agent note.
Applying standard domain verification: the sender domain was not github.com. A 2024 GitHub community post stated "official emails from GitHub will only come from support@github.com." The email requested a reply as resolution — a known phishing technique. Initial conclusion: phishing attack. Documentation began.
Direct navigation to support.github.com/requests/4161662 returned a 404. However, checking My Requests under the logged-in account confirmed the ticket was real, active, and had been updated — including Jay's response verbatim. The ticket and all agents were legitimate.
GitHub's official documentation at docs.github.com/en/support explicitly states: "Email communication from GitHub Support will always be sent from either a github.com or githubsupport.com address." The domain is legitimate. The community guidance from 2024 was wrong.
The Trust Gap — Three Years of Contradictions
The core finding of this investigation is not about phishing. It is about a documented, multi-year gap between what GitHub's official documentation says and what GitHub's own community tells users when they ask the same question. A security-aware user applying best practices — verify the domain, search for confirmation, do not assume legitimacy — encounters contradictory information from GitHub's own platforms and reaches the wrong conclusion through no fault of their own.
What the official docs say
What GitHub's community told users
This is not a single outdated post. The pattern spans at least two years, involves GitHub's own community infrastructure, and remains unresolved. The 2024 community response that told users githubsupport.com was fake was never corrected. The 2025 question about the same issue received no answer. In March 2026, a security professional with active cybersecurity training encountered the same gap and reached the same wrong conclusion.
| Source | Date | What it says about githubsupport.com | Accurate? |
|---|---|---|---|
| GitHub official docs | Current | Explicitly listed as legitimate GitHub support domain | Yes |
| Community Discussion #121151 | 2024 | Community moderator states only github.com is legitimate; recommends reporting as phishing | No |
| Community Discussion #175108 | Sep 2025 | User cannot confirm legitimacy; question left unanswered by GitHub staff | No answer |
| This investigation | Mar 2026 | Security professional applies domain verification best practices; concludes phishing based on community guidance | Wrong conclusion |
Why This Matters — The Security Training Paradox
Security awareness training teaches a clear, simple rule: verify the sender domain. If an email claims to be from an organization, the domain after the @ symbol must exactly match that organization's known domain. This is good advice. It stops the overwhelming majority of impersonation attacks. But it creates a specific failure mode when the legitimate organization uses a non-obvious secondary domain for real communications — and does not clearly communicate that fact.
A domain registered to impersonate GitHub support would look exactly like githubsupport.com. The domain passes every surface-level check: it sounds like "GitHub Support," it has valid DKIM signing, it has TLS encryption. There is no visual or technical signal available to a user that distinguishes it from a lookalike. The only way to confirm it is legitimate is to find the specific line in GitHub's documentation that names it — documentation that most users, including security professionals, will not find before asking the community, where they will receive the wrong answer.
CRITICALA community moderator in 2024 told a user to report githubsupport.com emails as phishing. This response has not been corrected, flagged, or removed. It remains findable via search. Any user who searches "githubsupport.com phishing" and finds this post — which is the first result for that query — will receive incorrect guidance from what appears to be an authoritative GitHub community source. GitHub has had at minimum two years to correct this and has not done so.
CRITICALDiscussion #175108 from September 2025 shows a user unable to confirm whether GitHub support communications were legitimate. GitHub staff did not respond. An unanswered question in GitHub's own community forum about the legitimacy of GitHub's own support emails is a trust infrastructure failure — it signals that GitHub does not actively monitor or correct misinformation about its own security practices in its own community.
HIGHBoth legitimate githubsupport.com emails and a hypothetical phishing domain would display identical security indicators in Gmail: "Standard encryption (TLS)" and a signed-by confirmation. These signals confirm transport security, not sender identity. A user who trusts these indicators will be fooled by phishing. A user who correctly ignores them and checks the domain will be misled by community guidance. Neither path leads reliably to the correct answer without finding the specific documentation page.
HIGHGitHub's profile UI includes a dedicated website field explicitly for personal URLs. GitHub's Acceptable Use Policy targets accounts where the primary focus is advertising or promotional marketing — not developers linking their portfolio from a dedicated profile field. The automated flag on this account appears to have been triggered by account name or activity patterns rather than the portfolio link, and Jay's response used a template that did not accurately reflect the internal assessment visible in the leaked agent note.
MEDIUMWhat the Verification Process Actually Looks Like
To illustrate the failure mode concretely: here is the exact path a security-aware user takes when they receive an email from githubsupport.com and attempt to verify it using standard methodology.
Known GitHub domains: github.com, githubusercontent.com, githubassets.com. The sender domain githubsupport.com does not appear in this list. Red flag raised.
The top search result is the 2024 GitHub community discussion where a moderator states only github.com is legitimate and recommends reporting as phishing. The user has now received official-looking guidance from GitHub's own community platform confirming their suspicion. Phishing conclusion reached.
If the user navigates to docs.github.com and finds the About GitHub Support page, they will find the explicit confirmation that githubsupport.com is legitimate. Most users stop at Step 2. The correct answer exists but is not surfaced by the verification path most users follow.
The problem is not user error. The verification methodology is correct. The failure is that GitHub's community platform — which appears as an authoritative source in search results — contains uncorrected misinformation about GitHub's own infrastructure. A user who stops at the community result has been failed by GitHub's information governance, not by their own security practices.
Recommendations
The following recommendations are directed at GitHub. They require no significant engineering investment — they are information governance and communication decisions that could be implemented quickly and would close this trust gap entirely.
Discussion #121151 currently appears in search results and tells users that githubsupport.com emails should be reported as phishing. GitHub staff should post a correction on that thread explicitly confirming that githubsupport.com is a legitimate GitHub domain. This is the highest-priority fix — it directly intercepts users at the point where they receive wrong information.
GitHub's pages about recognizing phishing and verifying legitimate communications should explicitly list githubsupport.com as an authorized domain. Currently a user researching GitHub phishing will find guidance that does not mention this domain at all, creating a gap that community misinformation fills.
Discussion #175108 from September 2025 remains unanswered. GitHub staff should monitor community discussions about the legitimacy of GitHub communications and respond authoritatively. An unanswered question about whether GitHub's own emails are real is a visible trust failure.
The simplest long-term solution is to send all support communications from a github.com address. This eliminates the trust ambiguity entirely. If operational or technical reasons require a separate domain, the documentation and community guidance around it should be treated as a security communication requirement, not an afterthought.
The confirmation email GitHub sends when a support ticket is filed could include a single line: "Replies to this ticket will come from githubsupport.com — this is a legitimate GitHub domain. Learn more: [link to docs]." This proactively addresses the verification question at the moment the user is most likely to encounter it.
For Users — How to Verify GitHub Support Emails
Until GitHub addresses the community guidance gap, here is the accurate verification methodology for GitHub support emails.
support@github.com
noreply@github.com
notifications@github.com
developer@githubsupport.com
support@githubsupport.com
Signed-by: github.com
— or —
Signed-by: githubsupport.com
github-support.com
github.support.com
githubsupport.net
git-hub.com
github.com.support.net
github-scanner.com
Any domain not ending in
github.com or githubsupport.com
The single most reliable verification step: Log into github.com directly and check your support tickets at support.github.com → your profile → My Requests. If a communication is real, it will appear in the ticket thread inside the portal. If it does not appear there, treat it as suspicious regardless of how legitimate the email looks.
| Signal | What it means | Reliable for verification? |
|---|---|---|
| Sender displays as "GitHub Support" | Display names are trivially spoofed | No |
| TLS encryption shown in Gmail | Email traveled securely from the stated domain | No — doesn't confirm domain is legitimate |
| DKIM signed | Email genuinely came from the stated domain | Partial — only if you also verify the domain |
| Domain is exactly github.com or githubsupport.com | Matches GitHub's documented legitimate domains | Yes |
| Message appears in ticket thread at support.github.com | Message originated from GitHub's real support system | Yes — most reliable check |
When Doing Everything Right Is Not Enough
The lesson I expected to write when I started this investigation was about phishing: how attackers use precise personal data and convincing impersonation to fool even security-aware users. That is a real and important topic. But it is not what this investigation found.
What it found is a different kind of failure — one that originates inside the legitimate organization rather than outside it. GitHub uses a support domain that looks like a phishing domain. Their community platform contains uncorrected guidance telling users it is a phishing domain. Their staff have left questions about this unanswered for months. And their official documentation, which contains the correct answer, is not surfaced by the verification path most users follow.
The result is that a user who has been told to verify sender domains, who searches for confirmation before trusting an unusual address, who applies security best practices correctly and consistently, can still reach the wrong conclusion — not because they were fooled by an attacker, but because they were misled by the platform they were trying to verify.
Security awareness training creates an expectation: if you verify the domain and something looks wrong, trust your instincts. GitHub's infrastructure breaks this expectation. githubsupport.com looks wrong. Community guidance confirms it looks wrong. The only way to find the correct answer requires navigating past the wrong answer. That is a trust infrastructure failure, and it has been left unaddressed for at least two years.
The fix is not complicated. A correction on one community thread, a line added to the phishing FAQ, a note in the support confirmation email. These are hours of work. The gap they would close has been misleading GitHub's own users since at least 2024.
This report documents a personal experience from March 2026 and the investigation that followed. All claims about GitHub's documentation, community forums, and support infrastructure are based on publicly accessible sources linked throughout. The GitHub community discussions referenced are publicly viewable. GitHub's official documentation on support email domains is available at docs.github.com/en/support/learning-about-github-support/about-github-su