This federal law requires you to include an opt-out mechanism in every commercial email. You must honor unsubscribe requests within 10 business days.
Your header information needs to be accurate and truthful. You must display a valid physical postal address. Subject lines cannot be deceptive or misleading. Your message must identify itself as an advertisement.
These seven core requirements apply to every business sending commercial email in the United States, with penalties reaching $51,744 per violation.
We've worked with thousands of email marketers who worry about compliance while trying to grow their lists. The good news? CAN-SPAM compliance isn't complicated once you understand the basics.
This guide breaks down everything you need to know about CAN-SPAM compliance. You'll learn the seven main requirements, how to distinguish commercial from transactional emails, and practical steps to avoid penalties. We'll also cover how CAN-SPAM differs from other regulations like GDPR.
What Is the CAN-SPAM Act?
CAN-SPAM stands for Controlling the Assault of Non-Solicited Pornography And Marketing. Congress passed this federal law in 2003 to combat the spam flooding American inboxes.
The act creates a national standard for commercial email messages. It preempts most state laws, giving businesses a single set of rules to follow. The Federal Trade Commission (FTC) enforces the CAN-SPAM Act and can impose civil penalties.
Here's what makes CAN-SPAM unique:it does not require prior consent to add US users to mailing lists. Unlike GDPR's opt-in requirement, CAN-SPAM uses an opt-out model. You can send commercial emails to anyone with an email address. Recipients must have a clear way to stop receiving future messages.
The law applies to all commercial messages. Business-to-business (B2B) emails aren't exempt. If your email's primary purpose is commercial, you must follow CAN-SPAM requirements.
The Full Scope of CAN-SPAM
The full name reflects the act's focus on curbing unsolicited pornographic and marketing emails. These messages overwhelmed inboxes in the early 2000s. The law provides a national standard for commercial electronic messages.
Senders must honor opt-outs within 10 days and include valid physical addresses. The act balances sender rights with consumer protections. It aims to reduce deceptive practices while allowing legitimate email marketing.
Who Must Comply with CAN-SPAM?
Every business sending commercial email must comply with CAN-SPAM. The law covers any electronic mail message with the primary purpose of commercial advertisement or promotion.
This includes your company and anyone you hire to send emails on your behalf. Third-party marketers and affiliate partners fall under CAN-SPAM requirements too. If you hire an email marketing agency, both you and the agency are legally responsible for compliance.
| Business Type | CAN-SPAM Applies? | Key Consideration |
|---|---|---|
| Small businesses | Yes | Same rules as large corporations |
| B2B companies | Yes | No B2B exemption exists |
| Nonprofits | Yes, if commercial | Fundraising emails count as commercial |
| Marketing agencies | Yes | Shared liability with clients |
| Email service providers | Depends | Liable if they initiate messages |
The primary purpose test determines whether your email needs to comply. If your message advertises or promotes a product or service, it's commercial. Transactional or relationship messages have different requirements.
Understanding Primary Purpose
The primary purpose test looks at your email's main content. Does it primarily advertise a commercial product or service? Then it's a commercial email subject to all CAN-SPAM requirements.
Transactional or relationship messages serve a different function. They facilitate an agreed-upon transaction or update a customer about an ongoing relationship. These emails have more limited requirements under CAN-SPAM.
Mixed-content emails need careful evaluation. If your message contains both commercial and transactional content, determine which is primary. The overall impression matters more than word count percentages.
The 7 Main Requirements of CAN-SPAM Compliance
CAN-SPAM compliance revolves around seven core requirements. Each applies to every commercial email you send. Following these rules protects you from penalties and builds trust with recipients.
We'll break down each requirement in detail. You'll see exactly what to include, what to avoid, and how to implement each rule.
- Don't use false or misleading header information
- Don't use deceptive subject lines
- Identify the message as an advertisement
- Tell recipients where you're located
- Tell recipients how to opt out
- Honor opt-out requests promptly
- Monitor what others are doing on your behalf
These seven rules form the foundation of CAN-SPAM compliance. Master them and you'll avoid most common violations.
Don't Use False or Misleading Header Information
Emails must use accurate header information to avoid fraudulent practices. Your "From," "To," "Reply-To," and routing information must be accurate and identify the business sending the message.
The header tells recipients who sent the email. It includes your domain name and email address. This information cannot mislead recipients about the email's origin.
Common header violations include spoofing another company's domain, using fake names in the From field, or routing messages through misleading servers. These practices can trigger serious penalties.
What Accurate Header Information Looks Like
Your From field should clearly identify your business. Use your actual company name and a real email address on your domain. The Reply-To address must accept responses.
Routing information needs to match your sending infrastructure. Don't obscure your message's path to make tracking difficult. Recipients and email providers should be able to identify your business as the sender.
At mailfloss, we automatically verify email addresses are valid and formatted correctly. This helps ensure your header information reaches real recipients who can actually respond to your messages.
Don't Use Deceptive Subject Lines
Your subject line must accurately reflect your email's content. Deceptive subject lines violate CAN-SPAM even if everything else in your message is compliant.
A deceptive subject line misleads recipients about what's inside. "RE: Your Order" is deceptive if the recipient never placed an order. "FWD: Important Account Information" is deceptive if you're sending a promotional offer.
The FTC looks at whether a reasonable recipient would be misled. Context matters. Your subject line should give recipients an honest preview of your message's content.
Subject Line Best Practices
Be specific about your offer or content. If you're promoting a sale, say so. If you're sharing a newsletter, make that clear.
Avoid clickbait tactics that promise one thing and deliver another. "You've won a prize!" is deceptive if the recipient needs to make a purchase to claim it. Be straightforward about what you're offering.
Test your subject lines by asking: Would this accurately describe my email to someone who hasn't opened it yet? If not, revise it.
Identify the Message as an Advertisement
Your commercial emails must clearly disclose they're advertisements. This doesn't require specific magic words, but recipients should understand your message's commercial nature.
Many marketers include "Advertisement" or "Promotional Email" near the top of their messages. Others use contextual cues that make the commercial intent obvious. Your company name, branding, and content can signal this is marketing material.
The key is clarity. Don't disguise your commercial messages as personal correspondence or transactional updates. Recipients should immediately recognize they're receiving marketing content.
Practical Implementation
Place your advertising disclosure where recipients will see it. The top of your email works well. Your preheader text can also signal commercial intent.
Your email's overall design and content should support this disclosure. Professional templates, product images, and clear calls-to-action all indicate commercial purpose. Don't contradict your disclosure with misleading content.
Include Your Physical Postal Address
Every commercial email must display your valid physical postal address. This gives recipients a way to identify and locate your business.
You can use your street address, a post office box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency. The address must be current and where your business can receive physical mail.
Place this address where recipients can easily find it. Most businesses include it in their email footer alongside unsubscribe links and social media icons.
Address Format Requirements
Your address needs to be complete and accurate. Include street number, city, state, and ZIP code. P.O. Boxes are acceptable if properly registered.
Update your address if you move. Using an old address after relocating can create compliance issues. Keep your email templates synchronized with your current business location.
Provide a Clear Opt-Out Mechanism
Recipients must have a clear and conspicuous way to opt out of future emails. This unsubscribe mechanism is mandatory in every commercial message.
Your opt-out method must be easy to use. A simple link that takes recipients to a one-click unsubscribe page works well. Don't require recipients to log in, provide additional information, or navigate multiple pages.
The unsubscribe link should be easy to find. Place it in your email footer where recipients expect to see it. Use clear language like "Unsubscribe" or "Opt Out" rather than vague phrases.
Opt-Out Best Practices
Make unsubscribing as simple as possible. One click should complete the process. Don't ask recipients to explain why they're leaving or offer multiple options that complicate the choice.
Include the opt-out link in every email. Even if you think the recipient definitely wants your messages, the law requires an unsubscribe option. No exceptions exist for engaged subscribers or customers.
Our guide to managing email unsubscribes provides additional strategies for handling opt-out requests professionally while maintaining list quality.
Honor Opt-Out Requests Within 10 Business Days
Key requirements include honoring opt-out requests within 10 business days. This is a hard deadline. You cannot take longer to process unsubscribe requests.
Once someone opts out, you must stop sending them commercial email. You cannot sell or transfer their email address to another business. The opt-out applies permanently unless the recipient later provides express consent to receive emails again.
Your opt-out mechanism must work for at least 30 days after you send the email. Don't disable unsubscribe links immediately after sending. Recipients need time to review their inbox and make decisions.
Processing Opt-Outs Efficiently
Automate your unsubscribe process to ensure compliance. Manual processing creates delays and increases error risk. Use your email service provider's built-in unsubscribe features whenever possible.
Track when opt-out requests come in. You need to prove you honored them within the 10-day window if questioned. Most email platforms like Mailchimp and ActiveCampaign handle this automatically.
Don't send "We're sorry to see you go" emails unless the recipient can still opt out of those too. Confirmation messages are acceptable, but they must include an unsubscribe option if they're commercial in nature.
Monitor Third-Party Marketers and Affiliates
You're legally responsible for CAN-SPAM compliance even when others send emails on your behalf. This includes marketing agencies, affiliate partners, and email service providers.
If you hire someone to send commercial emails promoting your business, both of you can be held liable for violations. The law doesn't let you delegate away your compliance obligations.
Monitor what your partners are doing. Review their email practices, template content, and compliance procedures. Include CAN-SPAM requirements in your contracts with third-party marketers.
Managing Third-Party Relationships
Vet email marketing partners before working with them. Ask about their compliance procedures and track record. Request sample emails to verify they follow CAN-SPAM rules.
Establish clear guidelines for anyone sending emails on your behalf. Specify required elements like unsubscribe links, physical addresses, and accurate header information. Make compliance a contractual obligation.
Conduct regular audits of third-party email campaigns. Don't assume partners are following the rules. Your business faces penalties if they violate CAN-SPAM while representing you.
Special Rules for Sexually Explicit Content
CAN-SPAM has additional requirements for sexually explicit commercial email. These messages must include a warning label in the subject line.
The subject line must begin with "SEXUALLY-EXPLICIT:" in all capital letters. The message content must not display explicit material until the recipient has been warned and chooses to view it.
These emails also need all standard CAN-SPAM requirements. The special labeling is in addition to, not instead of, the seven core rules.
Transactional vs. Commercial Emails
Understanding the difference between transactional and commercial emails is critical for compliance. The two categories have different CAN-SPAM requirements.
Transactional or relationship messages facilitate agreed-upon transactions or update customers about existing relationships. Examples include order confirmations, shipping notifications, account balance updates, and security alerts.
Commercial messages primarily advertise or promote products or services. Marketing newsletters, promotional offers, and sales announcements are commercial emails.
| Email Type | CAN-SPAM Requirements | Example |
|---|---|---|
| Transactional | Accurate header, no deceptive subject lines | Order confirmation, password reset |
| Commercial | All seven CAN-SPAM requirements | Weekly newsletter, product promotion |
| Mixed content | Depends on primary purpose | Order update with product recommendations |
The Primary Purpose Test
When your email contains both transactional and commercial content, determine which is primary. Look at the subject line first. Does it suggest a transactional or commercial message?
Next, examine what a recipient would see in the message body without scrolling. The content that appears first and most prominently usually indicates the primary purpose.
If your transactional email includes promotional content, keep it secondary. A shipping notification can mention related products, but the shipping information should dominate. When in doubt, apply all CAN-SPAM requirements.
CAN-SPAM Penalties and Enforcement
The FTC enforces the CAN-SPAM Act with civil penalties up to approximately $51,744 per violating email. These fines add up quickly when you're sending bulk email campaigns.
Criminal penalties can apply in egregious cases. Violations involving harvesting email addresses, using dictionary attacks, or deliberately spoofing can result in criminal charges.
Internet service providers can also sue violators. State attorneys general can bring enforcement actions. Multiple parties can pursue penalties for the same violations, compounding your liability.
Real Enforcement Actions
The FTC has brought numerous CAN-SPAM enforcement cases. Violations typically involve multiple infractions across thousands of emails. Penalties reach millions of dollars in serious cases.
Common violations include failing to honor opt-out requests, using deceptive subject lines, and omitting physical addresses. The FTC particularly targets businesses that use deceptive headers to hide their identity.
Prevention is far cheaper than penalties. Invest in proper email infrastructure and compliance procedures now. The cost of automated email verification is minimal compared to potential fines.
CAN-SPAM vs. Other Email Regulations
CAN-SPAM is just one email law you might need to follow. Other countries and regions have their own regulations with different requirements.
GDPR applies to emails sent to recipients in the European Union. Unlike CAN-SPAM's opt-out model, GDPR requires explicit opt-in consent before sending marketing emails. The requirements are stricter and penalties are much higher.
Canada's CASL requires consent, identification, and unsubscribe mechanisms, with fines up to $10 million per violation. CASL also uses an opt-in model and applies to commercial electronic messages sent to Canadian recipients.
Navigating Multiple Regulations
When you email internationally, the stricter law typically applies. If you're sending to EU recipients, follow GDPR even though you're also subject to CAN-SPAM.
Consider implementing the strictest standard for all your emails. Using opt-in consent for everyone simplifies compliance and often improves engagement. Recipients who actively choose to receive your emails are more likely to engage.
Our guide to email opt-in best practices and GDPR compliance explains how to collect proper consent and maintain compliant subscriber lists across different regulations.
Building a Compliant Email Program
CAN-SPAM compliance should be built into your email marketing infrastructure. Don't treat it as an afterthought or one-time checklist.
Start with your email service provider. Platforms like HubSpot, Klaviyo, and Constant Contact include compliance features. They automatically add unsubscribe links and track opt-out requests.
Create email templates that include all required elements. Your footer should have your physical address, unsubscribe link, and company information. Make these permanent parts of every template.
Ongoing Compliance Maintenance
Review your email practices quarterly. Check that unsubscribe links work, addresses are current, and opt-out processing happens within 10 days. Regular audits catch problems before they become violations.
Train everyone who touches your email program. Marketers, copywriters, and designers all need to understand CAN-SPAM requirements. One person's mistake can expose your entire business to penalties.
Clean your email list regularly to maintain quality and deliverability. Invalid addresses don't just waste money. They can trigger spam complaints and damage your sender reputation. We built mailfloss to automate this process across 35+ email service providers.
Learn more about how to send bulk emails while avoiding spam filters to complement your compliance efforts with better deliverability.
Quick Answers to Common CAN-SPAM Questions
Let's tackle the most frequent questions we hear about CAN-SPAM compliance.
What does CAN-SPAM stand for? CAN-SPAM stands for Controlling the Assault of Non-Solicited Pornography And Marketing. It's a U.S. federal law enacted in 2003 that establishes rules for commercial email messages, requiring opt-out options and accurate headers to combat spam.
What happens if you violate CAN-SPAM? Violating CAN-SPAM can result in civil fines up to $51,744 per email imposed by the Federal Trade Commission. Severe cases involving fraud may lead to criminal penalties. ISPs and recipients can also file lawsuits.
Why was the CAN-SPAM Act passed? The CAN-SPAM Act was passed in 2003 to establish a uniform federal standard for commercial emails, replacing fragmented state laws. It aimed to reduce deceptive practices, provide opt-out mechanisms, and equip ISPs with anti-spam tools amid rising spam volumes.
Are CAN-SPAM and GDPR compatible? No, CAN-SPAM and GDPR are not mutually compatible. CAN-SPAM uses opt-out and allows sending without prior consent. GDPR mandates explicit opt-in consent for marketing emails. Global senders must follow the stricter law based on recipient location.
Do B2B emails need to comply with CAN-SPAM? Yes, B2B emails must comply with CAN-SPAM. The law doesn't distinguish between business and consumer recipients. All commercial electronic mail messages must follow the same requirements regardless of the recipient's professional status.
Your Next Steps for CAN-SPAM Compliance
You now understand the seven core CAN-SPAM requirements and how to implement them. Start by auditing your current email practices against this checklist.
Review your email templates today. Verify each one includes your physical address and a working unsubscribe link. Test the opt-out process yourself. Make sure it completes in one click and processes within 10 business days.
Check your subject lines and header information for accuracy. Remove any misleading language or deceptive routing. Update your email authentication with SPF and DKIM records to prove your messages come from legitimate sources.
Set up a schedule for regular compliance reviews. Mark your calendar quarterly to audit templates, test unsubscribe links, and verify your physical address is current. Make CAN-SPAM compliance an ongoing priority, not a one-time task.
Remember that compliance protects your business from penalties while building trust with recipients. Clean, honest email practices result in better engagement and deliverability. When you follow the rules and maintain quality lists, your emails reach more inboxes and generate better results.