What do you do when an ISP starts recycling email addresses?

ISPs are at the heart of the email industry. They manage the inboxes, host the space for email storage, and are ultimately responsible for putting a message in front of the recipient. Especially at major ISPs, there are a tremendous amount of login names (and email addresses) in use. It’s gotten to the point where people with common names have to resort to using addresses that look like the following: steve.smith1652@…com. Unfortunately, even if customers turn over at a rate of only 3% per year, it’s not long before there are millions of stale email addresses.

As you may have noted in the press recently, Yahoo.com is in the process of recycling inactive addresses. They are taking accounts that haven’t had a login event in 12 or more months and making them available to new users. This is causing awareness of potential privacy concerns for previous account owners who, for example, haven’t updated their contact information with banks, doctor’s offices, and other sites.

As an email sender, how can you protect your customers’ privacy when you don’t know if the recipient is actually the person with whom you have a business relationship?

1. Your password-reset algorithms can ask for a second piece of personally identifiable information that you may have and isn’t sent along as part of your regularly scheduled emails. If the account was recycled and the new email address owner attempts to hijack the previous customer’s account at your site, then requiring a phone number, secret code, or other piece of ID during the reset process can help prevent the hijack.
2. Yahoo supports a new email header (Require-Recipient-Valid-Since) that will hard bounce emails based on recycle date.  I’m not sure if other ISPs will implement similar measures, but making use of this should help.
3. Be cautious of how much personally identifiable information (PII) you send out regularly and how much personal data you send out without verifying that recipients are still who you think they are.
4. If a customer hasn’t engaged with your email recently (6-12 months), stop emailing them. The emails aren’t doing their job anymore, and you run the risk of engaging with the wrong person and exposing PII.

Many of our businesses rely on customer trust for success. Following these basic guidelines and incorporating good security practices can help keep your customers’ information private and keep them coming back to your business.