Every business that sends commercial email to US recipients operates under the CAN-SPAM Act, whether or not the team handling the email has ever read the statute. The law has been in force since 2003, the Federal Trade Commission enforces it, and the penalties for violations run to tens of thousands of dollars per individual email.
Most senders comply by accident — they use email platforms that handle most of the requirements automatically. Some comply by ignorance and have never been caught. A few get hit with enforcement actions and discover that “we did not know” is not a defence.
CAN-SPAM is also one of the most misunderstood compliance frameworks in email marketing. Common misconceptions include the belief that it applies only to bulk campaigns, that it requires recipient opt-in, that it bans cold outreach, or that transactional mail is covered automatically. None of these assumptions is fully correct.
What the CAN-SPAM Act Actually Is?
CAN-SPAM stands for the Controlling the Assault of Non-Solicited Pornography And Marketing Act. Despite the awkward name, it functions as the baseline legal framework for commercial email sent to US recipients.
The law applies to any “commercial electronic mail message,” meaning any email whose primary purpose is promoting a commercial product or service.
That scope is broader than many businesses realise.
CAN-SPAM applies to:
- Bulk email campaigns
- One-to-one cold outreach
- Automated promotional sequences
- B2B marketing email
- Affiliate and partner promotions
- Commercial newsletters
It applies regardless of company size and regardless of where the sender is located if the recipient is in the United States.
There is no minimum sending threshold.
What CAN-SPAM Does NOT Cover
The law also has clear boundaries.
CAN-SPAM generally does not apply to:
- Pure transactional email
- Password reset emails
- Order confirmations
- Shipping notifications
- Account updates
- Service-related relationship messages
However, the exemption becomes complicated when transactional emails contain promotional content.
For example:
- A shipping confirmation with only shipping details is transactional.
- A shipping confirmation with a large promotional banner advertising new products may become a mixed-purpose email subject to CAN-SPAM requirements.
The FTC evaluates these cases based on the primary purpose of the message.
The Seven CAN-SPAM Rules
Every commercial email sent to US recipients must comply with seven core requirements.
Rule 1 — Accurate Header Information
The sender information must accurately identify who initiated the email.
This includes:
- From name
- Reply-To address
- Sending domain
- Routing information
The recipient must be able to identify the actual sender without deception.
Compliant Example
From: Marketing Team <marketing@brandname.com>
Non-Compliant Example
From: Special Offer <noreply@unrelated-random-domain.com>
Misleading sender identities and spoofed domains are direct violations.
Rule 2 — Honest Subject Lines
The subject line must accurately reflect the contents of the email.
CAN-SPAM explicitly prohibits deceptive subjects.
Common Violation Patterns
- Fake “Re:” or “Fwd:” prefixes
- False urgency
- Promises not delivered in the body
- Fake account alerts
- Misleading transactional language
Compliant Example
Subject: 25% off all running shoes through Sunday
Non-Compliant Example
Subject: Re: your order
(when no order exists and the email is promotional)
Rule 3 — Clear Identification as an Advertisement
Commercial messages must be recognisable as advertisements when appropriate.
The law does not require a literal “This is an ad” label, but the commercial nature of the email must be reasonably clear from context.
This rule becomes important when marketers attempt to disguise promotional mail as personal communication.
Risky Example
A templated cold outreach email pretending to be a personal one-to-one message from an individual when it is actually automated promotional outreach.
Rule 4 — Include a Physical Postal Address
Every commercial email must include a valid physical postal address.
This can be:
- A business street address
- A registered PO box
- A Commercial Mail Receiving Agency address
Most ESPs automatically insert this information into email footers.
Important Detail
The requirement applies to every message individually.
A campaign sent to 50,000 recipients without a postal address is potentially treated as 50,000 separate violations.
Rule 5 — Provide a Clear Opt-Out Mechanism
Recipients must be able to unsubscribe easily.
The unsubscribe process must:
- Be clearly visible
- Work correctly
- Require no login
- Require no fee
- Require no unnecessary information
- Require no multi-step friction
The unsubscribe process should realistically take one click.
Common Violations
- Broken unsubscribe links
- Login-required unsubscribe pages
- Multi-page confirmation funnels
- Upsell pages before opt-out completion
Rule 6 — Honour Opt-Outs Within 10 Business Days
Once a recipient unsubscribes, the sender has 10 business days to stop sending commercial email to that address.
After that period, every additional message becomes a separate violation.
The suppression must also apply globally across the sender’s commercial email systems unless the user explicitly opts back in.
Important Operational Detail
Suppression syncing failures between multiple ESPs or CRMs are one of the most common real-world compliance problems.
Rule 7 — Monitor Third Parties Sending on Your Behalf
Businesses remain responsible for email sent by:
- Agencies
- Affiliate partners
- Contractors
- Lead-generation vendors
- ESP consultants
If a third party violates CAN-SPAM while promoting your business, both parties may face liability.
This is why vendor auditing matters.
CAN-SPAM Penalties Explained
CAN-SPAM penalties are calculated per violating email.
As of 2026, the maximum FTC civil penalty is approximately $51,744 per violation, adjusted annually for inflation.
In practice, regulators focus on:
- Large-scale violations
- Deceptive practices
- Repeated non-compliance
- Intentional abuse
- Failure to honour unsubscribe requests
FTC enforcement actions often involve millions of emails rather than isolated technical mistakes.
Still, even smaller senders can face legal exposure if violations become systematic.
CAN-SPAM vs CASL vs GDPR
CAN-SPAM is relatively permissive compared to Canadian and European frameworks.
| Framework | Consent Required Before First Email? | Major Penalties |
|---|---|---|
| CAN-SPAM (US) | No | ~$51k per violating email |
| CASL (Canada) | Yes | Up to CAD $10 million |
| GDPR (EU) | Usually yes | Up to 4% global revenue |
Practical Reality
Most modern email programs simply adopt GDPR/CASL-style consent globally because:
- It reduces legal complexity
- It improves deliverability
- It lowers complaint rates
- It protects sender reputation
Common CAN-SPAM Compliance Mistakes
Treating Cold Outreach as Exempt
Cold outreach is still commercial email.
All CAN-SPAM rules apply.
Broken Unsubscribe Links
A non-functional unsubscribe link is one of the clearest violations regulators can identify.
Promotional Content Inside Transactional Mail
Adding promotional banners to receipts or confirmations can unintentionally pull the message into CAN-SPAM scope.
Slow Suppression Processing
Custom-built systems sometimes fail to sync unsubscribes quickly enough across platforms.
This becomes dangerous at scale.
Sending Re-Permission Campaigns to Unsubscribed Users
Once someone opts out, you generally cannot send additional commercial email asking them to reconsider unless they actively opt back in themselves.
A Practical CAN-SPAM Compliance Audit Checklist
Run this audit quarterly.
Template Review
Check every commercial email template for:
- Accurate From information
- Honest subject lines
- Visible postal address
- Working unsubscribe links
- Proper sender identification
Unsubscribe Flow Testing
Test the entire opt-out process:
- Click unsubscribe
- Complete opt-out
- Verify suppression list entry
- Confirm no future sends occur
Suppression Sync Review
Ensure suppression lists sync correctly between:
- ESPs
- CRMs
- Automation tools
- Outreach platforms
Vendor Audit
Review agencies, affiliates, and external senders operating on your behalf.
Transactional Email Review
Inspect transactional templates for promotional elements that could change compliance classification.
Frequently Asked Questions
Does CAN-SPAM require opt-in consent before the first message?
No. The US framework is opt-out rather than opt-in. A sender can send a first commercial message to a US recipient without prior consent, provided all seven rules are followed and the recipient can easily opt out of further mail.
Does CAN-SPAM cover transactional or “relationship” emails?
No. Transactional mail (order confirmations, shipping notifications, account notices, password resets) is exempt. The exemption is lost if the transactional message is mixed with promotional content where the promotional content becomes the primary purpose.
Does CAN-SPAM apply to text messages?
CAN-SPAM applies to email. Commercial text messages are regulated under the Telephone Consumer Protection Act (TCPA), which is stricter than CAN-SPAM and includes explicit opt-in consent requirements.
Can I purchase email lists and send to them under CAN-SPAM?
Sending to a purchased list is not categorically prohibited by CAN-SPAM, but every rule still applies. The sender must have accurate headers, honest subject, postal address, working opt-out, and must honour opt-outs within 10 business days. In practice, purchased lists generate high complaint rates that damage sender reputation severely, so the question is usually moot — by the time a purchased-list campaign reaches enough recipients to attract enforcement attention, deliverability has usually collapsed.
What is the difference between CAN-SPAM and a sender’s ESP terms of service?
CAN-SPAM is the federal law. ESP terms of service are contractual rules set by the sending platform, typically stricter than CAN-SPAM. ESPs require opt-in consent, prohibit purchased lists, and enforce engagement thresholds — all of which exceed CAN-SPAM’s baseline. A sender can comply with CAN-SPAM and still violate ESP terms.
Conclusion
CAN-SPAM is not an advanced compliance framework. It is the minimum operational baseline for commercial email in the United States.
The law does not prohibit marketing email. It does not require prior consent. And it does not ban cold outreach. What it requires is honesty, transparency, identification, and respect for recipient opt-outs.
For most businesses, the operational requirements are straightforward:
- Identify yourself clearly
- Use honest subject lines
- Include a valid postal address
- Provide a functioning unsubscribe link
- Honour opt-outs quickly
- Monitor partners sending on your behalf
The businesses that run into trouble are rarely the ones making isolated mistakes. They are the ones building systems that ignore compliance entirely.
Modern deliverability and compliance increasingly overlap. The same practices that keep a sender legally compliant — permission-based sending, clean suppression handling, transparent messaging — are also the practices that maintain inbox placement and sender reputation over the long term. Audit Your Email Compliance Before It Becomes a Deliverability Problem
