Possibly even just sending an email (without verification) to the WHOIS contact at the time they are added to the preload list might help?

From lessons with the PSL, I seriously doubt this will help. Also, the PSL volume is outpacing HSTS, we just have less automation (intentionally) so it doesn't appear as such.

Well, requiring WHOIS confirmation would provide accountability.
That way, rather than saying "you sent the header asking to be preloaded, that's all we know", we could literally have an accountability trail.

It's not a priority for us (it doesn't solve problems like scaling, and like site operators changing their mind once they hit stable), but some of the site operators who email me would certainly be less indignant.

Sure, I get that. The PSL explicitly moved away from email validation, for a variety of reasons (spoofability of address, difficulty determining whether the requestor was properly authorized, private registrations). We switched to an automated solution (require a TXT record) because of this. But I mean, if you're trying to make sure that the 'domain manager' has authorized the request (and not just a user who can add a header), I'd suggest the TXT record approach moreso than whois. See https://github.com/publicsuffix/list/wiki/Guidelines

rsleevi@: Thanks for the link; I didn't know those details about the PSL!

Indeed, I think the TXT record approach is more practical than email, even if it has its own challenges. (I currently ask for TXT records if a small site wants to get taken off but doesn't serve valid HTTPS anymore.)

But I'd still love to avoid both if at all possible. :-/

A different take on the idea from Twitter [1]:

When example.com is submitted, send a courtesy notification email to some subset of {security, webmaster, admin}@example.com.
The email would serve as an extra confirmation in the case the webmaster actually wants the site to be preloaded, and would hopefully help catch a significant amount of accidents before they reach  Issue 527947 .

I think the opportunity cost of implementing courtesy emails is low, as long as the submission site and email itself make clear that the email is a best-effort courtesy email, and that the HSTS header on the site itself is responsible for control over requesting to be preloaded.

[1] https://twitter.com/tunetheweb/status/773629312931168260

I would strongly advise against sending to admin@ - this isn't defined anywhere, and so it's not necessarily reasonable to assume it goes somewhere actionable/don't cause issue.

That said, {webmaster, hostmaster, security}@ are arguably suitable contacts, and defined within RFC 2142 (setting aside whether or not anyone directly implements it, it's reasonable to expect that it's at least known). Going further would be using the whois contact email for technical / administrative contacts, since the policies set would affect all secure connections (since HSTS is port-insensitive), and that would at least be consistent with the logical purpose.

Thanks, that's good to know.

Do you know if there is there a consistent way to get WHOIS contact email programmatically?
On occasion, I've had to do some pretty sketchy manual lookups (over HTTP!) to get full WHOIS info for some ccTLDs.

For some ccTLDs, that's all there is. For gTLDs, ICANN is trying to promote RDAP, which is programmatic. https://www.icann.org/public-comments/rdap-profile-2015-12-03-en