What best practices do they publish?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Three organizations publish most of the guidance that serious email senders actually reference: M3AAWG, CSA, and IETF. Each has a different scope and audience.

M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group) publishes the documents most relevant to day-to-day sending operations. Their Sender Best Common Practices covers authentication, list management, and abuse handling. They also publish topic-specific guidance on things like mobile messaging, bulk sending, and DMARC deployment. These are written by the people who run the infrastructure on both sides.

CSA (Certified Senders Alliance) focuses mainly on European senders and publishes its own certification criteria and technical requirements. Their documentation is particularly useful if you send to German or other EU inboxes since German ISPs weight CSA membership heavily.

IETF publishes RFCs (Request for Comments), which are the actual technical specifications that define how email works. Most senders never read RFCs directly, but it's useful to know they exist. When someone argues about how SPF or DKIM should behave, the RFC is the official answer.

When these documents contradict each other (and they occasionally do), IETF's RFC takes technical precedence. M3AAWG and CSA layer operational recommendations on top of those technical standards.

If you're not sure where to start, M3AAWG's sender best practices doc is the most practical place to begin. It's free on their website and written for senders, not just ISPs.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Review my practices against M3AAWG standards

I want to review whether my email program follows industry best practices. Here's my setup: - My primary sending regions: EU / US / global - My current authentication: SPF only / SPF+DKIM / full DMARC policy - My list management practices: double opt-in / single opt-in / other - My current ESP: name - Areas I'm most concerned about: compliance / deliverability / authentication / all Check my setup against M3AAWG Sender Best Common Practices and flag any gaps I should address.

Edit the yellow boxes, then send to the AI of your choice.