[_heimdall]

I must be an outlier here, but I don't keep email addresses that long. After a couple years they're on too many spam lists. I'll wind those addresses down and use them for a couple years only for short interactions that I expect spam from, and ultimately close then down completely the next cycle.

At best any email I have is 4 or 5 years old.

[account42]

You are definitely an outlier in that you abandon email addresses deliberately. But many people do not have an old address simply because they lost access to their previous ones for one of many possible reasons, the most common one being that it was provided with a business relationship (e.g. ISP contract) that no longer exists.

That's before even getting into how you'd possibly verify email adress age, especially without preventing self-hosting.

[londons_explore]

There are commercial services to verify email address age: https://www.ipqualityscore.com/email-age-checker

They generally look at data leaks and partner with big companies to see when that email address first signed up to any online service.

[account42]

That doesn't seem remotely compatible with modern privacy laws like the GDPR. And it certainly ads even more false negatives of people locked out because they didn't have their email leaked long enough ago.

[londons_explore]

GDPR has a massive carve-out for fraud prevention...

[account42]

Which doesn't include collecting information about your email and then handing it off to random third parties just because they want to use it for that.