Skip to Content

M3AAWG Best Practices & Docs

These best practices and white papers represent the cooperative efforts of M3AAWG members to provide the industry with recommendations and background information to improve messaging security and protect users. M3AAWG best practices are updated as needed and new documents are added as they become available.

These industry best practices are intended to help mitigate the abuse of mobile messaging (i.e., SMS, MMS and RCS), including text messaging and connected services. The guidelines outlined here will assist service providers and vendors in maintaining practical levels of trust and security across an open, globally-interconnected messaging environment.
System abuse drains time and revenue for hosting and cloud providers, who must maintain constant vigilance to make sure their systems are not compromised and ensure that their customers are vigilant. This document categorizes types of abuse, suggests appropriate responses and reviews practices for dealing with customers and complaints. It provides current best common practices in use with the hosting, DNS and domain registration provider communities.
Forwarding is quite popular among users who have multiple email accounts they prefer to manage centrally. This updated M3AAWG best practices document includes measures that can be adopted by email volume forwarders and the receivers of forwarded email to mitigate spam-related concerns specific to forwarding email addresses.
These updated best practices outline the criteria for exit, entry, remediation and subscriber education when using a walled garden to remediate virus and bot infections in subscriber devices.
This document gives an overview of the current best common practices for sending commercial electronic messaging, focusing on the technical and practical policy aspects of these operations. The goal of these practices is to promote and enhance the transparency of senders maintaining legitimate messaging so that both individual recipients and mailbox providers are more easily able to distinguish legitimate messaging from messaging abuse.
When email authentication mechanisms are applied, both the originating and receiving systems are able to correctly and reliably validate who is accountable for the message. This paper describes authentication techniques to aid in protecting business’ brands from forgery and phishing attacks and is intended for a general readership that has basic familiarity with Internet mail service. The Executive Summary also provides a one-page overview that can be used independently.
Many organizations and individuals register “parked” domains not meant to either send or receive email traffic. Mailbox providers can authenticate incoming email from these domains quite effectively, provided such domains have the necessary identifiers. This best practices document describes what identifiers can be used to indicate a domain or subdomain that is not meant to send or receive emails.
It is an unfortunate reality that Internet anti-abuse professionals are, from time to time, encountering child sexual abuse material in the course of their work. This document provides guidelines for these situations but is not legal advice. M3AAWG strongly suggests that readers work with their company’s legal counsel or avail themselves of independent legal advice regarding their rights, responsibilities and obligations relevant to prevailing legal jurisdictions.
M3AAWG recommends three basic measures, including turning on opportunistic TLS, that messaging providers can implement relatively quickly to enhance the security and privacy of their users’ mail.
M3AAWG submitted these comments with the new M3AAWG Bot Metrics Report in response to the U.S, Federal Communications Communications request for comments on the status of the implementation of CSRIC III best practices.