Do you think any one in practice will be watching for this domain? My suspicion is that it will still work for most people, but I am ignorant, and am basing this on how competent I see people behave in general.
Moving that item up to be more prominent does sound like a good idea though
Would depend on the method. For the ones that are automated like opening a PDF - I doubt many attackers will bother blacklisting the domain in their DNS.
But for the manual ones, like opening a link - it'd probably be better to host them at a much less suspicious sounding domain.
An easier service would be if canarytokens.org allowed us to CNAME our a subdomain of our company, so the token would be sent to hj.example.com. But that would make canarytoken.org a public service, which requires funding.
Moving that item up to be more prominent does sound like a good idea though