What does M3AAWG recommend for list collection?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've built the form. There's an email field, a submit button, maybe a checkbox. But what actually goes on that page, and how, makes the difference between a list that earns great deliverability and one that quietly poisons it over time. M3AAWG (the Messaging, Malware and Mobile Anti-Abuse Working Group) has been clear on this for years.

Their first recommendation is confirmed opt-in. That means after someone submits your form, they get a confirmation email and have to click a link to activate their subscription. It's the strongest proof that the person who typed that address is also the person who wanted to subscribe. M3AAWG treats it as the gold standard, not just a nice-to-have.

Beyond COI, here's what they say your signup form actually needs to show:

  • What you'll send. Not a vague "stay in the loop" line. Something like "We send a weekly newsletter with shipping updates and product news" tells subscribers what they're getting into.
  • How often you'll send. Frequency disclosure belongs on the form itself, not buried on a pre-signup landing page. If you send daily, say daily. Surprise frequency is one of the fastest ways to generate spam reports.
  • A link to your privacy policy. Present at signup, not one click away from a footer somewhere.
  • Separate, unchecked consent for email. If someone's creating an account or making a purchase, their email marketing consent can't be bundled into the terms of service checkbox. It needs its own box, and that box starts unchecked.

That last point trips up a lot of senders. Pre-checked boxes feel like a shortcut to a bigger list, but M3AAWG explicitly recommends against them. So do most major mailbox providers, and so does most privacy legislation (though M3AAWG's recommendations exist independently of any one jurisdiction).

M3AAWG also draws a hard line on three list-building tactics: purchasing lists, harvesting addresses from websites or directories, and adding people who signed up for something else entirely. All three create complaint rates that will hurt your sender reputation, regardless of how clean the rest of your setup looks.

Once you're collecting consent the right way, it's worth thinking about what happens to that proof. Storing timestamps, source URLs, and IP addresses at signup is the next step. Our almanac covers proof of consent storage in detail if you want to make sure you're capturing the right data.

If you're auditing an existing form and want a second pair of eyes, our SOS hotline is free to use. No pitch, just help.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Review my signup form against M3AAWG standards

I'm reviewing my signup form against M3AAWG best practices. Based on what I share below, tell me what's missing or needs to change. For each gap, give me the specific form copy or element I should add, and where on the form it should appear. My current form setup: 1. Confirmation method (single opt-in or double opt-in): 2. What the form currently says subscribers will receive: 3. Whether frequency is disclosed on the form (and what it says): 4. Whether there's a privacy policy link visible at signup: 5. How email marketing consent is captured (bundled checkbox, separate checkbox, unchecked by default, pre-checked): 6. Any list sources beyond organic signups (purchases, imports, co-reg):

Edit the yellow boxes, then send to the AI of your choice.