All the M3AAWG Public Policy Comments are available fom the M3AAWG Public Policy page in this section.
1
These best practices and white papers represent the cooperative efforts of M3AAWG members to provide the industry with recommendations and background information to improve messaging security and protect users. M3AAWG best practices are updated as needed and new documents are added as they become available.
PDF
June 15, 2016
M3AAWG Introduction to Traffic Analysis
M3AAWG outlines the key characteristics of traffic analysis attacks, discusses potential ways to avoid them, and considers the advantages and disadvantages of deploying preventative measures.
PDF
February 07, 2016
M3AAWG Best Practices for Unicode Abuse Prevention
With the advent of International Domain Names, Internationalized Top-Level Domains and Email Address Internationalization there will be an increase in the legitimate usage of Unicode characters and an increase in the potential for its abuse as well. This document provides best practices to curtail the potential Unicode abuse.
PDF
February 07, 2016
M3AAWG Unicode Abuse Overview and Tutorial
Provides background on the use of Unicode characters in the abuse context with a tutorial on the options to curtail that abuse.
PDF
January 31, 2016
M3AAWG Initial Recommendations for Using Forward Secrecy to Secure Data
Opportunistic encryption is one step in protecting email traffic between messaging providers but it might not be sufficient unless forward secrecy is also employed for the connection. This document explains why forward secrecy is necessary and provides guidance for implementing it.
PDF
January 21, 2016
M3AAWG Protecting Parked Domains Best Common Practices-Updated December 2015
Many organizations and individuals register “parked” domains not meant to either send or receive email traffic. Mailbox providers can authenticate incoming email from these domains quite effectively, provided such domains have the necessary identifiers. This best practices document describes what identifiers can be used to indicate a domain or subdomain that is not meant to send or receive emails. The December 2015 version updates some industry links that changed.