ID.me: "Your Verified Identity Will Expire in 60 Days"

Will_M · April 10, 2026, 8:56pm

I received an email from ID.me with the quoted subject line. I found nothing suspicious about it other than I wasn’t expecting it, but I was curious, so I went down a rabbit hole.

When I viewed All Headers, I found three Received headers.

Received: by 2002:ac8:4617:0:b0:509:4988:d1e2 with SMTP id [short string]; Thu, 9 Apr 2026 20:03:12 -0700 (PDT)

Received: from mta196a-ord.mtasv.net (mta196a-ord.mtasv.net. [104.245.209.196]) by mx.google.com with ESMTPS id [really long long long string] for [my email address] (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 20:03:12 -0700 (PDT)

Received: from ip-172-26-21-93.us-east-2.compute.internal (172.26.21.93) by production-pmta-useast2.internal.postmarkapp.com (KumoMTA 10.97.241.182) with ESMTP id [really long long string] for [my email address]; Fri, 10 Apr 2026 03:03:12 +0000

There was also the following header.

Return-Path: pm_bounces@pm-bounces.id.me

All that told me nothing, but maybe someone here could interpret those headers and say why they suggest the message is real or fake.

Then I thought I would see if Firefox, which has my saved credentials for ID.me, would autofill my username and password when I followed the link in the email. Firefox did not autofill my credentials. Hmm. Then I typed ID.me in the address bar of a new tab and clicked Sign in. Again, Firefox did not autofill my credentials. Curious. Then I went to Firefox’s Saved passwords page and opened the link included with my credentials (api.id.me). I was redirected to https://www.id.me/, but I clicked Sign in, I was taken to https://api.id.me/en/session/new, and again Firefox did not autofill my credentials. Then I created a new entry in the Saved passwords page for https://id.me/ (because I thought Firefox would then autofill anywhere in the domain), and again Firefox did not autofill my credentials. Then I decided to ask TidBITS Talk what was going on. What is going on?

An education, both on email headers (with an eye toward verifying authenticity) and Firefox’s saved passwords, would be appreciated. Thanks.

Halfsmoke · April 10, 2026, 9:28pm

Some things I do when researching domains and suspicious communications:

Use a whois service to try to find information about the domain owner (examples: https://www.networksolutions.com/domains/whois , https://www.godaddy.com/whois )
Look up who owns the IP addresses listed in the headers (example: for North America, go to https://search.arin.net/ )
Search the Support and FAQ areas of the organization the suspicious request is supposedly from. Look for info about what the email/text/phone call wants you to do, fraud notices and how to handle suspected phishing. Examples: When ID.me verifications expire and how to reverify – ID.me Help Center , Identifying communications from ID.me – ID.me Help Center , Dirty Dozen tax scams for 2026: IRS reminds taxpayers to watch out for dangerous threats | Internal Revenue Service
Use a generative AI search to get quick information and avenues to investigate further (sample prompts: Give me examples of phishing attempts at id.me , Who owns the domain mtsav.net ).
Look over the security certificates of the suspcious destination website (Safari: Safari/Connection Security Details/Show Certificate , Firefox: Tools/Page Info/Security/View Certificate )

ddmiller · April 10, 2026, 9:45pm

I’ve used id.me in the past to deal with the Internal Revenue Service. I think that the IRS has switched to login.gov these days.

See ID.me - Wikipedia

aforkosh · April 10, 2026, 9:45pm

I don’t worry about authenticity — I just never click a link in such a message. If I need to re-verify my existence or change a password, I sign directly onto the site Iin this case ID.me. If I log in and there’s no further message, I’ll assume the email was bogus.

Halfsmoke · April 10, 2026, 9:47pm

@ddmiller
I think the IRS only supports id.me. There were rumours that the IRS would either switch to or add login.gov but it hasn’t happened yet.

@aforkosh
Yes, that is exactly what I do too, most of the time. But if I feel motivated to drill down for some reason, I’ve found the stuff I listed to be useful.

jk2gs · April 10, 2026, 10:37pm

IRS still uses ID.me and other government organizations as well.

bookrats · April 11, 2026, 12:34am

Another example: either the Social Security Agency or Medicare (apologies, I forget which) are moving their online user accounts from their own username/password authentication to a choice of ID.me, Login.gov or Clear.

josehill · April 11, 2026, 1:47pm

It depends on the systems you are accessing. For example, I use login.gov to file non-profit Form 990s with the IRS, though ID.me is an option there, too.

Will_M · April 11, 2026, 4:11pm

Thank you.

But what domain? I searched for postmarkapp.com; Network Solutions had no information, and GoDaddy had nothing that meant anything to me. Same for mtasv.net. One of the red flags for me was that id.me did not appear in the Received headers; I would have liked someone to have received the email from someone at id.me. (Is the first Received header at the top or the bottom of the list?)

ARIN did not recognize the IPv6 address. For each IPv4 address, it returned a link titled Policy Proposals rather than owner information.

Well, I certainly wasn’t going to enter my credentials at the link; I was seeing if Firefox would enter my credentials at the link. When Firefox did not enter my credentials, I thought maybe it was a spoofed web site. But when I typed id.me in a new tab, Firefox still didn’t enter my credentials, so that just increased my confusion.

As far as I can recall, the only place I use id.me is at Apple, when I want to visit the Apple Store for veterans.

Halfsmoke · April 11, 2026, 8:03pm

@Will_M

Some quick thoughts:

If the whois info doesn’t raise any warning signs at first glance, try chatting with a generative AI, such as Google Gemini or Perplexity.ai, beginning with a request to analyze the whois record.
You can also ask a gen-AI to give you information about the domains. For example, an email from a business might actually originate from a company that provides the business with outbound email services (e.g. Mailchimp). So, a seemingly unrelated domain appearing in a header could be legitimate. Gen-AI’s are good at surfacing this type of information.

j.albert · April 11, 2026, 8:15pm

An email like this has “the smell of a scam” all the way.

If the account is “going to fail in 60 days”, I’d suggest the HAL 9000 approach from “2001”:
Use it (or just “let it be”) until it fails.
Then, go directly to ID.me, and fix it there.