> If your PyPI account only has a single verified email address from a custom domain name,add a second verified email address from another notable domain (e.g. Gmail) to your account.

Isn't that just increasing the attack surface for all account holders following that suggestion for all cases but domain expiry?

PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over PyPI accounts through password resets.