All articles Email Operations

CAN-SPAM Compliance: What Every Business Email Sender Must Know

SSam wallness07 Jul 2026
CAN-SPAM Compliance: What Every Business Email Sender Must Know

What CAN-SPAM Actually Covers

The CAN-SPAM Act — Controlling the Assault of Non-Solicited Pornography And Marketing — became US federal law in 2003. Despite its age, it remains the primary legal framework governing commercial email in the United States, and the FTC continues to enforce it actively with substantial fines.

CAN-SPAM applies to commercial email messages — defined as messages whose primary purpose is advertising or promoting a commercial product or service. It does not apply to transactional emails: messages sent to complete a transaction the recipient already initiated, such as order confirmations, password resets, or shipping notifications. The distinction matters, because keeping transactional and commercial email on separate infrastructure is important for both compliance and deliverability.

The Six Core Requirements

1. Accurate Header Information

Your email's From, To, Reply-To, and routing information must be accurate and non-misleading. The From address must correctly identify who is actually sending the email. You cannot use a From address that impersonates another person or company, or that obscures the true sender's identity.

2. No Deceptive Subject Lines

The subject line must accurately reflect the content of the message. Subject lines designed to trick recipients into opening — "Re: your account" sent to people you have no prior relationship with, or "Your order has shipped" on a promotional message — are a direct CAN-SPAM violation. The test is simple: would a recipient feel misled after opening?

3. Identify the Message as an Advertisement

Commercial emails must be clearly identifiable as advertising. If the commercial nature is immediately obvious from the content and sender, a separate explicit disclaimer may not be necessary — but recipients should not be confused about whether the email is trying to sell or promote something.

4. Include a Valid Physical Address

Every commercial email must include a valid physical mailing address for the sender. This can be a current street address, a registered P.O. box, or a private mailbox registered with a commercial mail receiving agency. It must be real, current, and connected to your actual business.

5. Provide a Working Unsubscribe Mechanism

Every commercial email must include a clear, conspicuous way for recipients to opt out of future messages. The mechanism can be a link, a reply-to address, or any other functional method — but it must work reliably. Once someone uses it, you have 10 business days to stop sending to them.

You cannot charge a fee for unsubscribing, require the recipient to visit more than one page, ask them to provide information beyond their email address, or make them opt out of specific categories rather than all commercial messages if they want a full stop.

6. Monitor Third Parties Who Send on Your Behalf

CAN-SPAM holds you legally responsible for commercial messages sent in your name by agencies, affiliates, or partners. If a third party sends non-compliant email promoting your offer, you share liability. Include explicit CAN-SPAM compliance requirements in any vendor or affiliate agreements and audit what they're actually sending.

What CAN-SPAM Does NOT Require

The most commonly misunderstood aspect of CAN-SPAM is what it doesn't require. Unlike GDPR in the EU and CASL in Canada, CAN-SPAM does not require prior consent before sending commercial email. It is an opt-out law, not an opt-in law.

This means cold email to people who haven't opted in is legal in the United States under CAN-SPAM, provided the content requirements above are met. It also means CAN-SPAM provides weaker recipient protections than the European or Canadian frameworks — and why many senders choose to apply GDPR-level consent practices voluntarily even for US audiences.

Penalties for Non-Compliance

CAN-SPAM violations carry civil penalties of up to $51,744 per email under current FTC guidelines. Each non-compliant message is a separate violation. A single campaign sent to a list of 10,000 people without a working unsubscribe mechanism represents potential exposure in the hundreds of millions of dollars.

In practice, FTC enforcement targets clear, systematic violations — particularly companies that ignore opt-out requests at scale or use consistently deceptive headers — rather than minor technical oversights from otherwise good-faith senders. But the legal exposure for wilful non-compliance is real, and the cases the FTC pursues tend to involve businesses that were knowingly cutting corners.

Criminal penalties are also available for the most egregious violations: address harvesting from websites, using automated tools to generate valid addresses, relaying messages through computers without authorisation.

CAN-SPAM vs Deliverability

Compliance with CAN-SPAM is a legal baseline, not an inbox guarantee. Meeting the statutory requirements doesn't mean your email will reach recipients. Inbox providers apply standards far more stringent than CAN-SPAM — they filter on engagement metrics, authentication, and reputation signals that the law doesn't address at all.

That said, the behaviours CAN-SPAM prohibits — deceptive headers, missing unsubscribe options, ignoring opt-out requests — are also exactly the behaviours that generate spam complaints and damage sender reputation. Legal compliance and deliverability best practice point in the same direction, even if the mechanisms are different.

Building Compliance Into Every Send

CAN-SPAM compliance should be baked into templates and processes, not reviewed before each individual send. Practical steps:

  • Include the physical mailing address in your standard email footer — every template, every time.
  • Include a working unsubscribe link in every commercial message — not just newsletters, but any commercial communication.
  • Process opt-outs within the required 10-business-day window, preferably automatically through your sending platform.
  • Review From names and subject lines with your team annually — deceptive subjects are often unintentional, arising from aggressive subject line testing without a clear policy.

For a look at how sending frequency affects both compliance risk and deliverability, the email cadence guide covers the practical considerations. MailDog's SMTP relay supports the infrastructure you need to send compliant commercial email at scale. And for a reference on how your data practices connect to legal obligations, the MailDog privacy policy reflects the standards we apply to data handling.

Legal compliance is one pillar of a responsible email program. The others — authentication, list hygiene, and engagement management — determine whether that compliant email actually reaches anyone.

Related articles