BLOG

Email verification – what are we verifying

One of the ongoing discussions in the email space is the one about address verification. Multiple companies have sprung up to do “real time” email address verification. They ensure that addresses collected at the point of sale are valid.

But what does valid mean? In most of these contexts, valid means that the addresses don’t bounce and aren’t spam traps. And that is one part of validating email addresses.

That isn’t the only part, though. In my opinion, an even more important thing to validate is that the email address belongs to the person giving it to you. The Consumerist has had an ongoing series of articles discussing people getting mis-directed email from various companies.

Today the culprit is AT&T, who are sending a lot of personal information to an email address of someone totally unconnected to that account. There are a lot of big problems with this, and it’s not just in the realm of email delivery.

The biggest problem, as I see it, is that AT&T is exposing personally identifiable information (PII) to third parties. What’s even worse, though, is that AT&T has no process in place for the recipient to correct the issue. Even when notified of the problem, support can’t do anything to fix the problem.

I contacted the live chat support for this account (since the notification emails are “do not reply”) to have a support rep help their customer correct their account. However, the support rep said there was nothing they could do, that I should not receive emails too often, and to try calling their business customer myself to get it fixed.

The inability to make corrections on data is not unique to AT&T. There are a lot of places where if someone incorrectly attaches an address (or phone number, or SMS number) to an account there is no recourse for the person who actually owns that address. Over the holidays someone attached my phone number to their Yahoo account, resulting in me getting SMS messages about password and secret question updates. There was no way for me to tell Yahoo “not my account” so I just had to deal with the SMS messages until the person involved figured it out and took my number off the account.

Verifying email addresses as valid is great. But just because an address is valid does not mean that it belongs to that customer.

I see a lot of places pushing address verification as a fix for poor delivery. And it will be in most cases. The problem is, poor delivery is simply a symptom of not verifying that the recipients are customers. Sending only to valid addresses, doesn’t stop spam to 3rd parties when customers give wrong but totally valid addresses.

Every company should send out a welcome message that allows recipients to confirm that they are the right person. Every company should take steps to stop releasing PII to third parties. Every company should think about more than just verifying that an address is valid, but that the address is valid for their customer.

2 comments

  1. Huey says

    It gets better. Suppose someone (hypothetically, let’s say, an ex-wife) signed up for someone’s service with your phone number. Again, hypothetically, let’s suppose this was Cox Communications. And then, let’s suppose that this person didn’t pay their bill for long enough that collection agents became involved. So, along with that company’s own accounts receivable, they’d also handed your phone number off to a whole co-reg worth of people, and said “Go hassle this guy”.

    Note at this point that I am not their customer. I have never been their customer. I call them, and ask them to stop. “Well, I see the account your number is associated with”, I am told, “but because it is not your account, I can’t change it. We can’t just let anybody go changing the data in someone else’s account.”.

    And that’s a fair point. I understand that. But it is MY phone number, not theirs.

    I wind up solving this problem every few months, with Federal Trade Commission complaints.

  2. Catherine Jefferson says

    *Ding*Ding*Ding*Ding*Ding*

    Spam annoys me (obviously), and I’ve spent a great deal of time and effort to help stop spammers. But the unsolicited *bulk* (i.e. marketing) email from businesses to my spamtraps scares me much less than the unsolicited transactional email that I see every day from banks, financial institutions, and businesses to spamtraps that they think belong to their customers. :/

    In some cases, the private information in these emails constitutes an outright security breach. It appears that I could log onto accounts, order merchandise, or withdraw funds with no more information than I have from the email itself, although of course I have never tried to do so and wouldn’t. In many other cases, I simply find out that X individual at Y address owes Z amount of money to a particular business and is either up-to-date, past due, or delinquent in payment. I’m sure that X individual is *thrilled* that a complete stranger knows this sort of stuff about them.

    This misdirected transactional email is arguably not even spam: although unsolicited, it isn’t really bulk. But I’m much less rigid about avoiding companies that send spam when I shop than I am about avoiding companies that show this sort of cavalier indifference to their customers’ personal information. There are banks and financial institutions that I will not do business with, and companies that I will not give a credit card to, because of what I have seen in my spamtraps.

Comment:

Your email address will not be published. Required fields are marked *

  • ReturnPath on DMARC+Yahoo

    Over at ReturnPath Christine has an excellent non-technical summary of the DMARC+Yahoo situation, along with some solid recommendations for what actions you might take to avoid the operational problems it can cause.No Comments


  • AOL problems

    Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can't accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren't functioning as well as they should be and so AOL can't accept all the mail thrown at them. These types of blocks resolve themselves. 1 Comment


  • Fixing discussion lists to work with new Yahoo policy

    Al has some really good advice on how to fix discussion lists to work with the new Yahoo policy. One thing I would add is the suggestion to actually check dmarc records before assuming policy. This will not only mean you're not having to rewrite things that don't need to be rewritten, but it will also mean you won't be caught flat footed if (when?) other free mail providers start publishing p=reject.No Comments


Archives