diff --git a/SignalMessaging/profiles/ProfileFetcherJob.swift b/SignalMessaging/profiles/ProfileFetcherJob.swift
index f5c30ded9..c693610c7 100644
--- a/SignalMessaging/profiles/ProfileFetcherJob.swift
+++ b/SignalMessaging/profiles/ProfileFetcherJob.swift
@@ -173,18 +173,29 @@ public class ProfileFetcherJob: NSObject {
     }
 
     private func updateProfile(signalServiceProfile: SignalServiceProfile) {
-        verifyIdentityUpToDateAsync(recipientId: signalServiceProfile.recipientId, latestIdentityKey: signalServiceProfile.identityKey)
-
-        profileManager.updateProfile(forRecipientId: signalServiceProfile.recipientId,
-                                                 profileNameEncrypted: signalServiceProfile.profileNameEncrypted,
-                                                 avatarUrlPath: signalServiceProfile.avatarUrlPath)
+        let recipientId = signalServiceProfile.recipientId
+        verifyIdentityUpToDateAsync(recipientId: recipientId, latestIdentityKey: signalServiceProfile.identityKey)
+
+        profileManager.updateProfile(forRecipientId: recipientId,
+                                     profileNameEncrypted: signalServiceProfile.profileNameEncrypted,
+                                     avatarUrlPath: signalServiceProfile.avatarUrlPath)
+
+        var supportsUnidentifiedDelivery = false
+        if let unidentifiedAccessVerifier = signalServiceProfile.unidentifiedAccessVerifier,
+            let udAccessKey = udManager.udAccessKeyForRecipient(recipientId) {
+            let dataToVerify = Data(count: 32)
+            if let expectedVerfier = Cryptography.computeSHA256HMAC(dataToVerify, withHMACKey: udAccessKey.keyData) {
+                supportsUnidentifiedDelivery = expectedVerfier == unidentifiedAccessVerifier
+            } else {
+                owsFailDebug("could not verify UD")
+            }
+        }
 
         // TODO: We may want to only call setSupportsUnidentifiedDelivery if
         // supportsUnidentifiedDelivery is true.
-        let supportsUnidentifiedDelivery = signalServiceProfile.unidentifiedAccessKey != nil
-        udManager.setSupportsUnidentifiedDelivery(supportsUnidentifiedDelivery, recipientId: signalServiceProfile.recipientId)
+        udManager.setSupportsUnidentifiedDelivery(supportsUnidentifiedDelivery, recipientId: recipientId)
 
-        udManager.setShouldAllowUnrestrictedAccess(recipientId: signalServiceProfile.recipientId, shouldAllowUnrestrictedAccess: signalServiceProfile.hasUnrestrictedUnidentifiedAccess)
+        udManager.setShouldAllowUnrestrictedAccess(recipientId: recipientId, shouldAllowUnrestrictedAccess: signalServiceProfile.hasUnrestrictedUnidentifiedAccess)
     }
 
     private func verifyIdentityUpToDateAsync(recipientId: String, latestIdentityKey: Data) {
@@ -212,7 +223,7 @@ public class SignalServiceProfile: NSObject {
     public let identityKey: Data
     public let profileNameEncrypted: Data?
     public let avatarUrlPath: String?
-    public let unidentifiedAccessKey: Data?
+    public let unidentifiedAccessVerifier: Data?
     public let hasUnrestrictedUnidentifiedAccess: Bool
 
     init(recipientId: String, responseObject: Any?) throws {
@@ -235,9 +246,7 @@ public class SignalServiceProfile: NSObject {
         let avatarUrlPath: String? = try params.optional(key: "avatar")
         self.avatarUrlPath = avatarUrlPath
 
-        // TODO: Should this key be "unidentifiedAccessKey" or "unidentifiedAccess"?
-        // The docs don't agree with the response from staging.
-        self.unidentifiedAccessKey = try params.optionalBase64EncodedData(key: "unidentifiedAccess")
+        self.unidentifiedAccessVerifier = try params.optionalBase64EncodedData(key: "unidentifiedAccess")
 
         self.hasUnrestrictedUnidentifiedAccess = try params.optional(key: "unrestrictedUnidentifiedAccess") ?? false
     }
diff --git a/SignalServiceKit/src/Messages/OWSMessageSend.swift b/SignalServiceKit/src/Messages/OWSMessageSend.swift
index 3e8af2d3d..7918ff904 100644
--- a/SignalServiceKit/src/Messages/OWSMessageSend.swift
+++ b/SignalServiceKit/src/Messages/OWSMessageSend.swift
@@ -70,7 +70,9 @@ public class OWSMessageSend: NSObject {
         var udAccessKey: SMKUDAccessKey?
         var isLocalNumber: Bool = false
         if let recipientId = recipient.uniqueId {
-            udAccessKey = udManager.udAccessKeyForRecipient(recipientId)
+            udAccessKey = (udManager.supportsUnidentifiedDelivery(recipientId: recipientId)
+                ? udManager.udAccessKeyForRecipient(recipientId)
+                : nil)
             isLocalNumber = localNumber == recipientId
         } else {
             owsFailDebug("SignalRecipient missing recipientId")
diff --git a/SignalServiceKit/src/Messages/UD/OWSUDManager.swift b/SignalServiceKit/src/Messages/UD/OWSUDManager.swift
index 4efad614a..83841d72d 100644
--- a/SignalServiceKit/src/Messages/UD/OWSUDManager.swift
+++ b/SignalServiceKit/src/Messages/UD/OWSUDManager.swift
@@ -110,13 +110,10 @@ public class OWSUDManagerImpl: NSObject, OWSUDManager {
         }
     }
 
-    // Returns the UD access key for a given recipient if they are
-    // a UD recipient and we have a valid profile key for them.
+    // Returns the UD access key for a given recipient
+    // if we have a valid profile key for them.
     @objc
     public func udAccessKeyForRecipient(_ recipientId: String) -> SMKUDAccessKey? {
-        guard supportsUnidentifiedDelivery(recipientId: recipientId) else {
-            return nil
-        }
         guard let profileKey = profileManager.profileKeyData(forRecipientId: recipientId) else {
             // Mark as "not a UD recipient".
             return nil