CAN-SPAM Compliance: A Practical Guide for Businesses That Send Email

CAN-SPAM is the U.S. federal law governing commercial email, and it has a reputation for being loose compared to GDPR or CASL. That reputation is partly deserved — it doesn't require opt-in consent the way European or Canadian law does — but "loose" doesn't mean "toothless." The FTC has issued real fines under CAN-SPAM, and the rules that do exist are specific enough that it's easy to violate one without realizing it.
What CAN-SPAM actually requires
Unlike GDPR, CAN-SPAM doesn't require you to get permission before emailing someone. What it requires is honesty and an easy way out. Specifically, every commercial email you send needs to meet a handful of concrete rules:
- The "From," "To," and routing information must be accurate and not misleading about who sent the message
- The subject line can't be deceptive about the email's content
- The email must identify itself as an advertisement if it is one, though this can be done fairly subtly
- You must include your business's valid physical postal address
- You must provide a clear, working way to opt out of future emails
- Opt-out requests must be honored within 10 business days
- You can't charge a fee, require personal information beyond an email address, or make people jump through hoops to unsubscribe
That last point trips up more senders than any other. A "manage preferences" page that requires logging into an account before someone can unsubscribe doesn't satisfy CAN-SPAM. The opt-out mechanism has to be simple enough that a recipient can act on it without friction.
Where it applies more broadly than people expect
CAN-SPAM applies to any commercial message with a primary purpose of advertising a product or service, which includes plenty of email that doesn't look like traditional marketing — a newsletter with product promotions mixed in, a re-engagement campaign, even some cold outreach depending on its content. It's worth being clear internally about which of your outbound streams count as commercial email under the law, because the compliance rules don't apply the same way to pure transactional email like receipts or password resets — but the moment marketing content gets mixed into those messages, they can fall under CAN-SPAM too.
This is one of several reasons keeping marketing and transactional sending cleanly separated matters beyond just deliverability — it also keeps your compliance obligations easier to reason about.
The unsubscribe rule interacts with deliverability rules too
Since 2024, Gmail and Yahoo have required one-click unsubscribe support (via the List-Unsubscribe and List-Unsubscribe-Post headers) for bulk senders, on top of whatever CAN-SPAM already required. The good news is that building compliant unsubscribe handling for CAN-SPAM and building it for mailbox provider requirements is largely the same work. If you haven't implemented one-click unsubscribe headers yet, treat it as satisfying both obligations at once rather than two separate projects.
Managing the actual list of people who've opted out is its own operational task — you need a reliable way to make sure someone who unsubscribes never receives another commercial message from you again, across every list and campaign they might otherwise be on. That's a suppression and preference management problem as much as a legal one, and it's worth building the infrastructure for it properly rather than handling it manually per campaign.
What enforcement actually looks like
The FTC doesn't pursue every violation, but it does pursue patterns — companies that ignore opt-out requests at scale, that use deceptive subject lines systematically, or that fail to include required disclosures across their entire program. Penalties can run into real money per violation, and "per violation" can mean per email in some enforcement actions, which is why the risk scales with your sending volume rather than staying fixed.
State attorneys general can also bring action under CAN-SPAM in some circumstances, and private companies whose domains get spoofed for CAN-SPAM-violating campaigns have pursued civil suits against the senders. The practical risk isn't abstract — it shows up as blocked sending, damaged domain reputation, and legal exposure together.
A quick self-check
- Does every marketing email include a physical postal address?
- Can someone unsubscribe in one click, without logging in or providing a reason?
- Are unsubscribe requests actually processed within 10 business days, and verified to be?
- Would your subject lines hold up if someone complained they were misleading?
If you can't answer yes to all four with confidence, that's worth fixing before it becomes a bigger problem. Building compliant sending into your email infrastructure from the start is considerably easier than retrofitting it after a complaint. MailDog's FAQ and documentation cover the technical side of setting up compliant unsubscribe handling if you're building this out.


