The CAN-SPAM Act is a federal law that sets the rules for commercial email, establishes requirements for messages, gives recipients the right to stop emails, and spells out penalties for violations. If you’re sending marketing emails to US recipients, you need to follow these rules — period.
In this guide, we’ve put all our research to equip you with everything you need to know before pushing up your email campaigns, covering:
- What CAN-SPAM is
- The eight core requirements
- Myths that get businesses in trouble
- How violations destroy your sender reputation
- Compliance steps that protect your campaigns
- Penalties that could cost you $53,088 per email
CAN-SPAM compliance directly affects whether your emails reach the inbox or get flagged as spam, which means it impacts your revenue (not to mention keeping you out of legal trouble).
TLDR: What does CAN-SPAM require?
Here’s a quick skim of the basic stuff you need to know about the CAN-SPAM Act:
| Requirement | What you must do |
| Accurate header info | Use your real “From,” “To,” and routing information |
| Honest subject lines | Subject must match your email content |
| Identify as ad | Disclose that your message is an advertisement |
| Include address | Provide your valid physical postal address |
| Clear unsubscribe | Give an easy way to stop receiving emails |
| Honor opt-outs | Process unsubscribe requests within 10 business days |
| Monitor partners | You’re responsible for what others send on your behalf |
| Allow member opt-outs | Even paying subscribers can opt out of marketing emails |
| Penalty for violations | Up to $53,088 per email that breaks the rules |
What is the CAN-SPAM Act?
CAN-SPAM stands for “Controlling the Assault of Non-Solicited Pornography and Marketing.” Congress passed it in 2003 because inboxes were drowning in spam, and people needed legal protection. The Federal Trade Commission (FTC) enforces it.
The law covers all commercial emails — messages that advertise or promote a product, service, or website. Marketing emails, newsletters with promotional content, and follow-up sales messages all fall under this umbrella.
Transactional emails (order confirmations, password resets, account updates) get different treatment, but if they contain any promotional content, CAN-SPAM applies.
Something that surprises people is that the Act doesn’t require you to get permission before emailing someone. However, ignoring the rules once you send that email will cost you.
Who needs to follow CAN-SPAM rules?
If you send commercial email to recipients in the United States, you must follow CAN-SPAM. Your location doesn’t matter — if you’re emailing US addresses from Canada, India, or anywhere else, the law applies to you.
B2B emails are NOT exempt. This is probably the most dangerous myth out there. The FTC makes it clear — CAN-SPAM covers business-to-business emails just like consumer emails. If you’re sending cold outreach to companies, you’re under the same requirements.
Who needs to comply:
- Sales teams are sending cold outreach
- Agencies managing client email marketing
- SaaS companies running email campaigns
- E-commerce brands sending promotional emails
- Anyone using email to generate leads or revenue
Third-party email service providers share responsibility, too. If someone sends illegal emails using your platform, both parties can face penalties.
What are the eight core requirements?
Each requirement exists for a reason, and violating any of them puts your business at risk.
Don’t use false or misleading header information
Your “From,” “To,” “Reply-To,” and routing information must be accurate and identify who’s actually sending the email. You can’t disguise your identity or use someone else’s domain.
Don’t use deceptive subject lines
Your subject line must reflect your email’s content. If your subject says “Invoice attached” but you’re selling accounting software, that’s a violation. Even clever wordplay crosses the line if it misleads recipients about what’s inside.
Identify the message as an ad
You must disclose that your message is promotional. This doesn’t mean slapping “ADVERTISEMENT” in 72-point font at the top. It means being clear and conspicuous about the commercial nature of your email. Many companies handle this by including language like “promotional email” or “marketing message” in their header or footer.
Tell recipients where you’re located
Include your valid physical postal address. A P.O. box works, or a private mailbox you’ve registered with the postal service, or your street address. This requirement builds accountability.
Tell recipients how to opt out
You need a clear, easy way for people to tell you they don’t want more emails from you. Requirements include:
- The mechanism must be obvious and easy to use
- The option must be available for at least 30 days after you send the message
- You can’t charge a fee or require the recipient to give you information beyond their email address
Honor opt-out requests promptly
When someone unsubscribes, you have 10 business days to stop sending them commercial emails. You can’t sell or transfer their email address after they opt out (even to your own separate lists). This is where a lot of businesses mess up — they keep emailing from different divisions or “forgot” the person had unsubscribed.
Allow paying members to opt out
Even if someone is a paying subscriber or member, they have the right to opt out of your marketing emails. You must give them that option and honor it. Membership or payment doesn’t override their right to stop receiving promotional messages.
Monitor what others are doing on your behalf
If you hire someone to handle your email marketing, you’re still legally responsible for what they send. That agency, freelancer, or email service provider needs to follow CAN-SPAM, and violations land on you, too.
What happens if you violate CAN-SPAM?
The penalties hurt. Each separate email that violates the law can result in fines up to $53,088. If you send a campaign to 10,000 people with a deceptive subject line, the FTC can theoretically fine you over $500 million.
Criminal penalties apply for serious violations, such as:
- Harvesting email addresses from websites
- Using scripts to create multiple email accounts
- Using false information to register for email accounts
- Relaying emails through someone else’s computer without permission
- Accessing someone else’s computer without permission to send an email
People have gone to prison for this. But on top of that, there’s another penalty that’s less dramatic yet more immediately damaging — your sender reputation tanks.
Email service providers (ESPs) monitor CAN-SPAM compliance, and violations signal that you’re a spammer. Your inbox placement rates drop, sometimes catastrophically.
Running an email deliverability test after violations often reveals that most of your messages land in spam folders instead of inboxes.
How does CAN-SPAM affect your email deliverability?
Gmail, Outlook, Yahoo, and other ESPs use CAN-SPAM compliance as one signal in their spam filtering algorithms when recipients mark your emails as spam or complain about them, and the ESPs notice.
High complaint rates damage your sender’s reputation, which controls whether future emails reach the inbox. CAN-SPAM violations correlate strongly with poor engagement metrics:
- Recipients mark emails as spam when they can’t find an unsubscribe button
- Misleading subject lines generate immediate spam complaints
- Missing physical addresses trigger spam filters
Your sender reputation affects every email you send, not just the ones that violate rules. One campaign with CAN-SPAM violations can suppress your deliverability for weeks or months afterward.
Using an email spam checker helps you catch compliance issues before sending, so you can fix them and protect your sender reputation.
What are the biggest CAN-SPAM myths?
Here are some common myths regarding the CAN-SPAM Act debunked:
1. “B2B emails are exempt.”
.Wrong. CAN-SPAM applies equally to business and consumer emails. Sending cold outreach to companies requires the same compliance as sending promotional emails to individuals.
2. “I can buy email lists and send them.”
Technically, CAN-SPAM doesn’t prohibit purchased lists. However, it doesn’t protect you either. If people on that list never agreed to hear from you, they’ll mark your emails as spam, which destroys your sender reputation. Many ESPs explicitly ban purchased lists in their terms of service.
3. “One unsubscribe per company is enough.”
If you send emails from multiple divisions, brands, or lists, each one needs its own unsubscribe option. You can’t force someone to opt out of everything just because they don’t want emails from one part of your business.
4. “I have 30 days to honor unsubscribes.”
You have 10 business days, not 30 calendar days. The 30-day requirement is different — it refers to how long you must keep the unsubscribe mechanism functional after sending an email.
How do I stay CAN-SPAM compliant?
Compliance becomes easier when you build it into your email workflow from the start. What actually works:
| Action | What to do |
| Audit your emails | Check every commercial message for all eight requirements. Review subject lines for misleading content. Verify your unsubscribe process works. |
| Document everything | Keep records of when and how people consented to emails. If the FTC investigates, documentation protects you. |
| Use double confirmation | While CAN-SPAM doesn’t require permission before emailing, double confirmation builds a cleaner list and reduces spam complaints. |
| Test unsubscribes monthly | Ensure your process works correctly and removes addresses within 10 business days. Set up automated systems. |
| Review partners | If agencies or contractors send emails on your behalf, verify they understand CAN-SPAM. Include compliance clauses in contracts. |
| Segment carefully | When someone unsubscribes from all marketing, remove them from all relevant lists (you cannot keep emailing from other divisions). |
| Train your team | Everyone who touches email marketing needs to understand CAN-SPAM basics: copywriters, designers, developers, marketers. |
Your sender reputation matters more than you think
CAN-SPAM compliance protects you from legal penalties, but it does something more important: it keeps your emails reaching inboxes. Every violation chips away at your sender reputation, reducing the ROI of every campaign you run.
EmailWarmup.com helps you maintain strong deliverability by analyzing your campaigns in real-time and ensuring they match patterns that ESPs trust. What we handle:
- Free unlimited deliverability testing
- Dedicated consultants who fix compliance issues
- Real-time spam checking that catches CAN-SPAM violations
- Personalized email warmup matching your actual sending patterns
We can set everything up for you right away. Want to know how?
Schedule your consultation call
Frequently asked questions about the CAN-SPAM Act:
Here are some commonly asked questions regarding this act:
Yes. Cold emails promoting your business are commercial messages, and they must follow all CAN-SPAM requirements. That includes the unsubscribe option, physical address, accurate headers, and honest subject lines.
You can send transactional emails (order confirmations, account updates), but no commercial messages. Once someone tells you to stop all marketing emails, you’re done sending them promotional content — period. You cannot keep emailing them from “another list” or a different division. The only exception is if you offered them granular choices (like opting out of specific campaigns) and they chose to only stop some emails while continuing others. However, you must always give people the option to stop all marketing from you.
CAN-SPAM is a US law focused on commercial email requirements and penalties. GDPR is an EU law that requires explicit consent before sending marketing emails and gives people broader privacy rights. GDPR is stricter — it requires permission before you email someone, while CAN-SPAM allows people to unsubscribe after receiving your emails.
Most businesses can handle CAN-SPAM compliance without legal help. The requirements are straightforward. However, if you’re sending millions of emails, operating in multiple countries, or unsure about specific scenarios, consulting an attorney who specializes in email marketing law makes sense.
No. Only the FTC, state attorneys general, and internet service providers can bring lawsuits under CAN-SPAM. Individuals can’t sue you directly, though they can file complaints with the FTC that trigger investigations.
CAN-SPAM applies based on where recipients are located, not where you’re sending from. If you’re emailing US recipients, you must follow CAN-SPAM regardless of your location.
The law doesn’t specify a retention period, but keeping unsubscribe records for at least three years protects you if the FTC investigates. Document when people opt out and ensure they stay off your lists.
References
- Federal Trade Commission. (2003). CAN-SPAM Act: A compliance guide for business. Washington, DC: U.S. Government.
- Federal Trade Commission. (2008). Enforcement policy statement on CAN-SPAM Act definitions. Washington, DC: U.S. Government.
- United States Code. (2003). Title 15, Chapter 103: Controlling the Assault of Non-Solicited Pornography and Marketing. Washington, DC: U.S. Government Printing Office.
- National Conference of State Legislatures. (2019). State laws related to unsolicited email and spam. Denver, CO: NCSL.
- Radicati Group. (2023). Email statistics report, 2023-2027. Palo Alto, CA: The Radicati Group, Inc.
- Return Path. (2019). The impact of spam complaints on email deliverability. New York, NY: Return Path, Inc.
