What are industry collaboration programs (M3AAWG, GCA, APWG)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you work in email infrastructure, deliverability, or security, you've probably heard these three acronyms tossed around at conferences. But what do they actually do, and is joining worth your time?
M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group) is the heavy hitter. It brings together mailbox providers, ESPs, security firms, and network operators to develop shared best practices for fighting abuse. Think of it less as a trade body and more as a working room where people who actually run email infrastructure sit together and solve real problems. Members get access to working group sessions, closed-forum threat discussions, and twice-yearly conferences. The time commitment is real (active participants go deep), but even passive membership gives you access to published best practices most people never read.
GCA (Global Cyber Alliance) focuses on making security improvements accessible, not just documented. Their most notable email contribution is the DMARC work: they built free toolkits and guidance that helped smaller organizations actually implement DMARC authentication when it was still intimidating to most teams. GCA's approach is practical over theoretical, which makes their resources useful even if you never formally join.
APWG (Anti-Phishing Working Group) coordinates phishing response across financial services, technology companies, and law enforcement. They maintain threat databases, run an eCrime research symposium, and facilitate the kind of cross-sector data sharing that helps one industry's incident become another's early warning. Their eCrime reports are public and genuinely useful reading if you want to understand how phishing campaigns evolve.
So should you join? It depends on your role. If you're running deliverability or abuse operations at an ESP or mailbox provider, M3AAWG membership pays for itself in peer access and early visibility into emerging threats. If you're a sender focused on authentication compliance, GCA's free resources give you most of the benefit without the membership overhead. APWG is most valuable if phishing and fraud are active concerns for your domain or brand.
None of these require you to join to benefit. All three publish reports, best practices, and guidelines that are freely available. Starting there costs nothing (and honestly, most practitioners never read them, so just doing that puts you ahead).
If you're unsure which, if any, makes sense for your team's situation, feel free to ask us directly. No pitch, just a straight answer.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.