diff --git a/supporting-docs/guides/2016-10-18-e2e_implementation.rst b/supporting-docs/guides/2016-10-18-e2e_implementation.rst
index 30876df9..02174c2f 100644
--- a/supporting-docs/guides/2016-10-18-e2e_implementation.rst
+++ b/supporting-docs/guides/2016-10-18-e2e_implementation.rst
@@ -328,6 +328,12 @@ decrypted by passing the ciphertext into ``olm_group_decrypt``.
 
 __ `m.room_key`_
 
+In order to avoid replay attacks a client should remember the megolm
+``message_index`` returned by ``olm_group_decrypt`` of each event they decrypt
+for each session. If the client decrypts an event with the same
+``message_index`` as one that it has already received using that session then
+it should treat the message as invalid.
+
 The client should check that the sender's fingerprint key matches the
 ``keys.ed25519`` property of the event which established the Megolm session
 when `marking the event as verified`_.