All the M3AAWG Public Policy Comments are available fom the M3AAWG Public Policy page in this section.
1
These best practices and papers represent the cooperative efforts of M3AAWG members to provide the industry with recommendations and background information to improve messaging security and protect users. M3AAWG best practices are updated as needed and new documents are added as they become available.
PDF
February 07, 2016
M3AAWG Best Practices for Unicode Abuse Prevention
With the advent of International Domain Names, Internationalized Top-Level Domains and Email Address Internationalization there will be an increase in the legitimate usage of Unicode characters and an increase in the potential for its abuse as well. This document provides best practices to curtail the potential Unicode abuse.
PDF
February 07, 2016
M3AAWG Unicode Abuse Overview and Tutorial
Provides background on the use of Unicode characters in the abuse context with a tutorial on the options to curtail that abuse.
PDF
January 31, 2016
M3AAWG Initial Recommendations for Using Forward Secrecy to Secure Data
Opportunistic encryption is one step in protecting email traffic between messaging providers but it might not be sufficient unless forward secrecy is also employed for the connection. This document explains why forward secrecy is necessary and provides guidance for implementing it.
PDF
August 26, 2015
M3AAWG Mobile Messaging Best Practices for Service Providers - Updated August 2015
These industry best practices are intended to help mitigate the abuse of mobile messaging (i.e., SMS, MMS and RCS), including text messaging and connected services. The guidelines outlined here will assist service providers and vendors in maintaining practical levels of trust and security across an open, globally-interconnected messaging environment. Updated August 2015.
PDF
July 08, 2015
M3AAWG Initial Recommendations for Addressing a Potential Man-in-the-Middle Threat
Even though opportunistic encryption protects messages during transmission from sender to receiver, it is still possible for a Man-in-the-Middle (MITM) attacker with a self-signed certificate to impersonate the intended destination. This brief document describes the MITM situation, outlines various methods bad actors can use to conduct MITM attacks, covers components for deterring these attacks and introduces DANE (DNS-based Authentication of Named Entities), a new technology to assist messaging providers in validating they are communicating with an intended destination when using SSL/TLS.