Home Best Practices

These best practices and white papers represent the cooperative efforts of M3AAWG members to provide the industry with recommendations and background information to improve messaging security and protect users. M3AAWG best practices are updated as needed and new documents are added as they become available.

January 31, 2016

M3AAWG Initial Recommendations for Using Forward Secrecy to Secure Data

Opportunistic encryption is one step in protecting email traffic between messaging providers but it might not be sufficient unless forward secrecy is also employed for the connection. This document explains why forward secrecy is necessary and provides guidance for implementing it.

January 21, 2016

M3AAWG Protecting Parked Domains Best Common Practices-Updated December 2015

Many organizations and individuals register “parked” domains not meant to either send or receive email traffic. Mailbox providers can authenticate incoming email from these domains quite effectively, provided such domains have the necessary identifiers. This best practices document describes what identifiers can be used to indicate a domain or subdomain that is not meant to send or receive emails. The December 2015 version updates some industry links that changed.

August 26, 2015

M3AAWG Mobile Messaging Best Practices for Service Providers - Updated August 2015

These industry best practices are intended to help mitigate the abuse of mobile messaging (i.e., SMS, MMS and RCS), including text messaging and connected services. The guidelines outlined here will assist service providers and vendors in maintaining practical levels of trust and security across an open, globally-interconnected messaging environment. Updated August 2015.

July 08, 2015

M3AAWG Initial Recommendations for Addressing a Potential Man-in-the-Middle Threat

Even though opportunistic encryption protects messages during transmission from sender to receiver, it is still possible for a Man-in-the-Middle (MITM) attacker with a self-signed certificate to impersonate the intended destination. This brief document describes the MITM situation, outlines various methods bad actors can use to conduct MITM attacks, covers components for deterring these attacks and introduces DANE (DNS-based Authentication of Named Entities), a new technology to assist messaging providers in validating they are communicating with an intended destination when using SSL/TLS.

June 30, 2015

Anti-Phishing Best Practices for ISPs and Mailbox Providers, Version 2.01, June 2015

This document was jointly developed by the Anti-Phishing Working Group (APWG) and M3AAWG with technical and business practices to help ISPs and mailbox providers thwart phishing attacks and other malevolent network abuses.  It also includes practices to respond constructively when these attacks occur. Version 2.01 updates the anti-phishing best practices originally published in 2006.