ID.me: "Your Verified Identity Will Expire in 60 Days"

I received an email from ID.me with the quoted subject line. I found nothing suspicious about it other than I wasn’t expecting it, but I was curious, so I went down a rabbit hole.

When I viewed All Headers, I found three Received headers.

Received: by 2002:ac8:4617:0:b0:509:4988:d1e2 with SMTP id [short string]; Thu, 9 Apr 2026 20:03:12 -0700 (PDT)

Received: from mta196a-ord.mtasv.net (mta196a-ord.mtasv.net. [104.245.209.196]) by mx.google.com with ESMTPS id [really long long long string] for [my email address] (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 20:03:12 -0700 (PDT)

Received: from ip-172-26-21-93.us-east-2.compute.internal (172.26.21.93) by production-pmta-useast2.internal.postmarkapp.com (KumoMTA 10.97.241.182) with ESMTP id [really long long string] for [my email address]; Fri, 10 Apr 2026 03:03:12 +0000

There was also the following header.

Return-Path: pm_bounces@pm-bounces.id.me

All that told me nothing, but maybe someone here could interpret those headers and say why they suggest the message is real or fake.

Then I thought I would see if Firefox, which has my saved credentials for ID.me, would autofill my username and password when I followed the link in the email. Firefox did not autofill my credentials. Hmm. Then I typed ID.me in the address bar of a new tab and clicked Sign in. Again, Firefox did not autofill my credentials. Curious. Then I went to Firefox’s Saved passwords page and opened the link included with my credentials (api.id.me). I was redirected to https://www.id.me/, but I clicked Sign in, I was taken to https://api.id.me/en/session/new, and again Firefox did not autofill my credentials. Then I created a new entry in the Saved passwords page for https://id.me/ (because I thought Firefox would then autofill anywhere in the domain), and again Firefox did not autofill my credentials. Then I decided to ask TidBITS Talk what was going on. What is going on?

An education, both on email headers (with an eye toward verifying authenticity) and Firefox’s saved passwords, would be appreciated. Thanks.

Some things I do when researching domains and suspicious communications:

• Use a whois service to try to find information about the domain owner (examples: https://www.networksolutions.com/domains/whois , https://www.godaddy.com/whois )
• Look up who owns the IP addresses listed in the headers (example: for North America, go to https://search.arin.net/ )
• Search the Support and FAQ areas of the organization the suspicious request is supposedly from. Look for info about what the email/text/phone call wants you to do, fraud notices and how to handle suspected phishing. Examples: When ID.me verifications expire and how to reverify – ID.me Help Center , Identifying communications from ID.me – ID.me Help Center , Dirty Dozen tax scams for 2026: IRS reminds taxpayers to watch out for dangerous threats | Internal Revenue Service
• Use a generative AI search to get quick information and avenues to investigate further (sample prompts: Give me examples of phishing attempts at id.me , Who owns the domain mtsav.net ).
• Look over the security certificates of the suspcious destination website (Safari: Safari/Connection Security Details/Show Certificate , Firefox: Tools/Page Info/Security/View Certificate )

I’ve used id.me in the past to deal with the Internal Revenue Service. I think that the IRS has switched to login.gov these days.

See ID.me - Wikipedia

I don’t worry about authenticity — I just never click a link in such a message. If I need to re-verify my existence or change a password, I sign directly onto the site Iin this case ID.me. If I log in and there’s no further message, I’ll assume the email was bogus.

@ddmiller
I think the IRS only supports id.me. There were rumours that the IRS would either switch to or add login.gov but it hasn’t happened yet.

@aforkosh
Yes, that is exactly what I do too, most of the time. But if I feel motivated to drill down for some reason, I’ve found the stuff I listed to be useful.

IRS still uses ID.me and other government organizations as well.

Another example: either the Social Security Agency or Medicare (apologies, I forget which) are moving their online user accounts from their own username/password authentication to a choice of ID.me, Login.gov or Clear.

It depends on the systems you are accessing. For example, I use login.gov to file non-profit Form 990s with the IRS, though ID.me is an option there, too.

Thank you.

But what domain? I searched for postmarkapp.com; Network Solutions had no information, and GoDaddy had nothing that meant anything to me. Same for mtasv.net. One of the red flags for me was that id.me did not appear in the Received headers; I would have liked someone to have received the email from someone at id.me. (Is the first Received header at the top or the bottom of the list?)

ARIN did not recognize the IPv6 address. For each IPv4 address, it returned a link titled Policy Proposals rather than owner information.

Well, I certainly wasn’t going to enter my credentials at the link; I was seeing if Firefox would enter my credentials at the link. When Firefox did not enter my credentials, I thought maybe it was a spoofed web site. But when I typed id.me in a new tab, Firefox still didn’t enter my credentials, so that just increased my confusion.

As far as I can recall, the only place I use id.me is at Apple, when I want to visit the Apple Store for veterans.

@Will_M

Some quick thoughts:

• If the whois info doesn’t raise any warning signs at first glance, try chatting with a generative AI, such as Google Gemini or Perplexity.ai, beginning with a request to analyze the whois record.
• You can also ask a gen-AI to give you information about the domains. For example, an email from a business might actually originate from a company that provides the business with outbound email services (e.g. Mailchimp). So, a seemingly unrelated domain appearing in a header could be legitimate. Gen-AI’s are good at surfacing this type of information.

An email like this has “the smell of a scam” all the way.

If the account is “going to fail in 60 days”, I’d suggest the HAL 9000 approach from “2001”:
Use it (or just “let it be”) until it fails.
Then, go directly to ID.me, and fix it there.

I always control click on the email and view the source. But as been said -just go to id.me and verify the email- if it’s not there it’s bogus- then move on!

FWIW - dealing with the IRS via id,me - they now asssume most everyone uses mobile smartphone to pay online,- BUT it is possible to use desktop- problem is directions are hard to find and somewhat convoluted. NEW requirement to scan in both sides of ‘ photo ID ‘- or passport or govt ID of some kind AND either communicate via phone with live person or be able to provide a LIVE view of yoursself with equivalent of facetime or zoom or ??? which they completely control as long as you have ‘ camera ‘ set up and on so they can compare live with your supplied photo ID, After completion online- sending money to IRS via online worked. Get used to multi-step verify. I use a m2 mini and safari and yubikey and seguoia which although a bit convoluted to find out how does/did work.

Just want to add I don’t think individuals are required to verify their identity using id.me to send payments to the IRS. I use a US Treasury service, EFTPS, that connects to login.gov for account setups and logins. (note that it appears the IRS is phasing out its use of EFPTS). The replacement for EFTPS, Direct Pay, doesn’t seem to require any kind of IRS login or IRS account.

Correct. I’ve been using DirectPay (as an ACH from my bank account) for many years now. You need to provide some ID information on a web form, but nothing beyond what you’d expect the IRS to need (SSN, name, address and a number from a prior year’s tax filing). No need to create any accounts.

I think the OP was saying that the ID.me account had to be set up using the parameters the IRS requires in order to have the account with IRS in the first place. After that, online payments can be utilized in various such as using a bank account which is what I do. But I recall the initial setup some years ago to a bit of a hassle if you didn’t get your face to scan properly.

Many US government sites now let users choose ID.me or login.gov, didn’t used to be that way. I have both, they were created at different times for different US gov’t sites. Now that many sites let you use either/or, I get somewhat confused each time I log in to a different site. Thank goodness I have it all sorted out in 1Password notes, otherwise I’d end up locked out of everything or have to create new logins repeatedly!

This is another great example of the utility of password managers, whether it is in your browser or a third-party product,. If you inadvertently click on a link that leads to a look-alike page and your password manager won’t auto fill the password, it is another line of defense against malicious websites.

True, but it’s not quite as black-and-white as you portray it.

Apparently failure to auto fill credentials is not evidence of a look-alike web site.

I didn’t realize that “another line of defense” implied that it was black and white. It is merely an additional layer of protection, not a foolproof one.