CAN-SPAM Compliance Guide for Email Marketers (2026)
Every commercial email sent from or to a US recipient is subject to the CAN-SPAM Act. Violations carry fines of up to $51,744 per individual non-compliant email — and each email in a non-compliant campaign constitutes a separate violation. A batch of 10,000 non-compliant emails is not a single violation. It is 10,000 violations.
Despite being in effect since 2003, CAN-SPAM compliance remains inconsistent across US businesses — not because the requirements are complex, but because they are misunderstood. The most common misconceptions: that CAN-SPAM only applies to spam, that prior consent is required before sending, that unsubscribes only need to be honoured for email newsletters, and that transactional emails are completely exempt with no conditions.
This guide covers every CAN-SPAM requirement in plain language — what each rule means, how to comply with it operationally, the common mistakes that create violations, and a checklist you can apply to every campaign before sending.
What Is the CAN-SPAM Act?
The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) is the US federal law governing commercial email. It was enacted in 2003 and enforced by the Federal Trade Commission (FTC). The FTC has authority to seek civil penalties — currently $51,744 per violation — and can pursue criminal penalties in cases of aggravated violations.
CAN-SPAM is an opt-out law — not opt-in. Unlike GDPR, CASL, or India's DPDP Act, CAN-SPAM does not require prior consent before sending a commercial email. You can legally send a first commercial email to someone who has never heard of your business — provided every other CAN-SPAM requirement is met and the recipient can unsubscribe.
This is one of the most important distinctions in US email law. CAN-SPAM compliance and email marketing best practice are not the same thing. Compliance is the legal floor; best practice — confirmed opt-in, list hygiene, segmentation — is what actually protects your deliverability and sender reputation above that floor. Our email marketing best practices guide covers best practice in full.
Who enforces CAN-SPAM: The FTC is the primary enforcement body. State attorneys general can also bring civil actions. Internet service providers can sue senders who violate CAN-SPAM. Individual recipients cannot bring private lawsuits — there is no private right of action under CAN-SPAM.
Extraterritorial reach: CAN-SPAM applies to all commercial email sent from a computer system in the US, or sent to US recipients from outside the US. If your business is UK or India-based but you email US subscribers, CAN-SPAM applies to those emails.
Does CAN-SPAM Apply to Your Email?
CAN-SPAM applies to Commercial Electronic Messages (CEMs) — any electronic mail message whose primary purpose is the commercial advertisement or promotion of a commercial product or service.
The "primary purpose" test determines whether a message is commercial:
Clearly commercial: A promotional email, a sale announcement, a new product launch, a discount offer, a newsletter that includes advertising or product promotions. All fully subject to CAN-SPAM.
Clearly transactional: An order confirmation, a shipping notification, a password reset, a payment receipt. These are exempt from most CAN-SPAM requirements — but only if they contain no promotional content. The moment you add "while you wait, check out our new arrivals" to an order confirmation, you risk converting it from a transactional message to a commercial one. See our transactional vs marketing email guide for the full distinction.
Mixed content: When an email contains both transactional and commercial content, the primary purpose test applies. If the recipient would reasonably view the email's primary purpose as commercial — based on the subject line, the prominence of commercial content, and the framing of the message — it is a commercial email subject to CAN-SPAM.
Relationship messages: Emails that maintain an existing customer relationship — account updates, service notifications, renewal reminders — may be transactional or commercial depending on whether they include promotional content.
The 7 CAN-SPAM Requirements
Requirement 1: Do Not Use False or Misleading Header Information
Your email's "From," "To," "Reply-To," and routing information must accurately identify the person or business that sent the message. The displayed name and email address must reflect who is actually sending the email.
What this means in practice:
- The From name must be your actual business name, brand name, or the name of a real person at your organisation — not a fake name designed to trick recipients into opening
- The From email address must be a real, functioning address that receives replies
- The Reply-To address, if different from the From address, must also be a legitimate address
- The email must have been routed through legitimate sending servers — not through spoofed or forged headers
Common violation: Using a From name like "Sarah from Customer Service" when no such person exists and the business is not named anything related to "Sarah" or "Customer Service." Deceptive From names designed to increase open rates by appearing personal violate this requirement.
What is permitted: Using a brand name as the From name ("Migomail Team") rather than a legal entity name, as long as the brand name accurately identifies the sender. Using a generic role address ("hello@migomail.com") rather than a personal address is fine.
Requirement 2: Do Not Use Deceptive Subject Lines
The subject line must accurately reflect the content of the email. A subject line designed to trick recipients into opening — by misrepresenting the content, creating false urgency, or implying the email is something it is not — violates CAN-SPAM.
What this means in practice:
- "Your account has been compromised" as a subject line for a promotional email is a violation
- "RE: our meeting" for an unsolicited commercial email implies a prior conversation that does not exist — violation
- "You have a package waiting" for a promotional email unrelated to a real package — violation
- "20% off your next order — this weekend only" for an offer that is actually available indefinitely — potentially deceptive depending on context
What is permitted: Curiosity-gap subject lines ("You won't believe what just happened to our prices") are legally grey but generally not violations unless they actively misrepresent the content. Promotional subject lines that accurately reflect a real offer ("Summer Sale: 30% off everything through Sunday") are fully compliant.
The practical standard: Would a reasonable recipient who reads the subject line and opens the email feel deceived by the content they find? If yes, the subject line is likely deceptive under CAN-SPAM.
Requirement 3: Identify the Message as an Advertisement
If the commercial email is an advertisement or promotion, it must be clearly identified as such. This does not mean you need to include "ADVERTISEMENT" in large text — it means the email's commercial nature must be clearly disclosed.
What counts as sufficient disclosure:
- The email is clearly promotional in nature and would be recognised as advertising by a reasonable recipient
- The email includes standard commercial elements (product images, pricing, "Shop Now" CTAs) that make its advertising nature apparent
- For less obvious commercial content — a "newsletter" that contains significant advertising — the email should make its commercial intent clear
What does NOT constitute sufficient disclosure:
- An email designed to appear as a personal message or editorial content to disguise its commercial nature
- Advertorials or "sponsored content" emails that do not disclose their commercial relationship
Practical reality: For standard promotional emails, this requirement is typically satisfied by the email's content itself. The risk area is emails designed to look like personal correspondence or editorial content that are actually commercial in nature.
Requirement 4: Include Your Physical Postal Address
Every commercial email must include a valid physical postal address for the sender. This can be:
- Your current street address
- A P.O. Box registered with the US Postal Service
- A private mailbox registered with a commercial mail receiving agency (like a UPS Store mailbox)
Requirements for the address:
- It must be valid for at least as long as the email is in circulation — ideally indefinitely, since forwarded or saved emails may be referenced long after the original send
- It must be a real address where the sender can receive mail — a fictitious address is a violation
- It must be included in every commercial email, not just the first one or the newsletter
What is NOT required:
- A physical office address — a home office address, P.O. Box, or registered agent address all qualify
- A US address specifically — international addresses are accepted as long as they are valid physical addresses
- The address must appear in the main body — footer placement is standard and fully compliant
Common mistake: Removing the physical address from transactional-style marketing emails or notification-style campaigns because they "don't look like newsletters." Every commercial email needs the address.
Requirement 5: Include a Clear and Conspicuous Unsubscribe Mechanism
Every commercial email must include a clear, easy-to-find mechanism that allows recipients to opt out of future commercial emails. This is the most operational of the CAN-SPAM requirements and the one most likely to generate violations from poor implementation.
Requirements for the unsubscribe mechanism:
- Must be clearly visible — not hidden in light grey text on a white background or in a font size that requires a magnifying glass
- Must be easy to use — a single link that works is the standard; requiring recipients to log in to unsubscribe is not compliant
- Must not require recipients to provide personal information beyond their email address to unsubscribe
- Must not charge recipients to unsubscribe
- The email address or web page used to process unsubscribe requests must remain functional for at least 30 days after the email is sent
The 10-business-day processing rule: Once a recipient submits an unsubscribe request, you must honour it within 10 business days. This is not 10 calendar days — it is 10 business days. The processing must result in the email address being removed from your commercial sending list permanently, not just temporarily.
What "honouring" means: You may not send any additional commercial emails to the unsubscribed address after the 10-business-day window expires. You may send transactional emails (order confirmations, password resets) — an opt-out from commercial email is not an opt-out from all email.
The one exception: If a recipient who previously unsubscribed subsequently provides a new affirmative consent — by filling out a sign-up form, making a purchase and checking an opt-in box, or explicitly asking to be re-added — you may resume commercial sending. The prior unsubscribe does not permanently bar all future commercial contact if a new consent is established.
Migomail's bounce management handles unsubscribe suppression automatically via real-time feedback loop processing — unsubscribes are applied immediately and permanently across all sending streams, well within the 10-business-day requirement.
Requirement 6: Monitor What Others Do on Your Behalf
If you hire a third party — an email marketing agency, a contractor, an affiliate — to send commercial emails on your behalf, you are legally responsible for their compliance with CAN-SPAM. The law applies to both the company that sends the email and the company whose products or services are promoted in the email.
What this means in practice:
- If an affiliate sends emails promoting your products, your business can be held liable for CAN-SPAM violations in those emails — even if you did not send them
- If you hire an agency to run your email marketing and they send non-compliant campaigns, you share liability
- Third-party email service agreements should explicitly require CAN-SPAM compliance and include indemnification provisions
Practical steps to manage third-party risk:
- Review any commercial email sent on your behalf before it goes out — at minimum, verify that all six other requirements are met
- Include CAN-SPAM compliance requirements in contracts with any agency, affiliate, or contractor who sends email on your behalf
- Spot-check affiliate emails for compliance, particularly the unsubscribe mechanism and physical address requirements
Requirement 7: Honour Opt-Out Requests Promptly
This expands on Requirement 5. Beyond having an unsubscribe mechanism, you must have a process that ensures opt-out requests are actioned within 10 business days — not just received.
What prompt honouring means:
- The unsubscribe link must connect to a functional system that processes the request immediately
- If your unsubscribe process requires manual review or batching, you must complete processing within the 10-business-day window
- You cannot condition the unsubscribe on any action from the recipient — sending a "please confirm your unsubscribe" email that requires a click to complete the opt-out is not explicitly prohibited but is considered bad practice and can create compliance risk if the confirmation email is itself commercial
After the opt-out is processed:
- You cannot sell or transfer the opted-out email address to another company for commercial email purposes — the opt-out must be respected by the new holder if transferred
- You may retain the opted-out address in a suppression list to prevent re-addition — this is actually a compliance obligation, not a violation
CAN-SPAM Requirements: Quick Reference
| Requirement | What It Prohibits / Requires | Common Violation |
|---|---|---|
| 1. No false headers | From/Reply-To must identify the actual sender | Fake From names; spoofed routing |
| 2. No deceptive subject lines | Subject must reflect email content | "Re: our meeting" for cold outreach |
| 3. Identify as ad | Commercial nature must be clear | Advertorials disguised as editorial |
| 4. Physical address | Valid postal address in every email | Missing from notification-style campaigns |
| 5. Unsubscribe mechanism | Clear, easy, no-cost opt-out required | Hidden links; broken unsubscribe pages |
| 6. Third-party liability | You are responsible for senders on your behalf | Affiliate emails without compliance review |
| 7. Honour opt-outs | Processed within 10 business days | Manual processing causing delays |
What CAN-SPAM Does NOT Require
Understanding what CAN-SPAM does not require is as important as understanding what it does — because confusing CAN-SPAM with more restrictive laws (GDPR, CASL) leads to unnecessary constraints on US-only email programmes.
CAN-SPAM does NOT require:
- Prior consent before sending. You can legally send a first commercial email to a US recipient without prior opt-in, provided all seven requirements are met. This is fundamentally different from GDPR and CASL.
- Double opt-in. Confirmed opt-in is best practice for deliverability and list quality — it is not a legal requirement under CAN-SPAM.
- An opt-in checkbox at sign-up. Pre-checked boxes are not ideal for list quality, but they are not prohibited by CAN-SPAM.
- A privacy policy link in every email. This is a best practice and may be required by other laws (GDPR, CCPA) but is not a CAN-SPAM requirement.
- Consent documentation. CAN-SPAM does not require you to prove subscribers opted in, because opt-in is not required. (This is a major difference from CASL, where the burden of proving consent is on the sender.)
- A specific unsubscribe phrase. "Unsubscribe," "opt-out," "manage preferences," "stop receiving emails" — any clear language indicating how to stop receiving emails qualifies.
- Immediate unsubscribe processing. 10 business days is the legal window. However, processing immediately — as Migomail does — is both best practice and better for your deliverability and subscriber relationship.
CAN-SPAM vs GDPR vs CASL: Key Differences
For businesses emailing subscribers in multiple jurisdictions, understanding which law applies to which subscriber is essential. Apply the most restrictive law that applies to each subscriber.
| Requirement | CAN-SPAM (USA) | GDPR (UK / EU) | CASL (Canada) |
|---|---|---|---|
| Prior consent required | ❌ No — opt-out model | ✅ Yes — legal basis required | ✅ Yes — express or implied |
| Opt-in documentation required | ❌ No | ✅ Yes | ✅ Yes |
| Unsubscribe required | ✅ Yes | ✅ Yes | ✅ Yes |
| Unsubscribe processing time | 10 business days | Without undue delay | 10 business days |
| Physical address required | ✅ Yes | ✅ Contact details required | ✅ Yes |
| Right to erasure | ❌ Not applicable | ✅ Yes | ✅ Yes |
| Maximum fine | $51,744 per email | €20M or 4% global revenue | $10M CAD per violation |
| Private right of action | ❌ No | ✅ Yes (supervisory) | ⚠️ Suspended |
The practical rule for US businesses: Apply CAN-SPAM as your baseline for US subscribers. If you have UK or EU subscribers, apply GDPR requirements to those contacts — which means confirmed opt-in and documented consent. If you have Canadian subscribers, apply CASL — which means express or implied consent with documented records and tracked expiry dates. Our CASL compliance guide covers the Canadian requirements in full.
CAN-SPAM Compliance for Specific Scenarios
Cold Email Outreach (B2B)
CAN-SPAM permits cold commercial email to US recipients — provided all seven requirements are met. A sales email to a business contact who has never heard of you is legally permissible under CAN-SPAM as long as:
- The From information accurately identifies your business
- The subject line is not deceptive
- The commercial nature is apparent
- Your physical address is included
- A clear unsubscribe mechanism is present
- You honour any opt-out requests within 10 business days
Best practice note: Legal permissibility and deliverability best practice diverge here. Cold email to purchased lists generates high complaint rates that damage sender reputation and inbox placement for your entire domain — including emails to subscribers who did opt in. Separate your cold outreach domain from your primary marketing domain to protect your main sending reputation. See our email deliverability best practices guide for the full framework.
Affiliate Email Marketing
If affiliates send commercial emails promoting your products, your business shares CAN-SPAM liability with the affiliate for those emails. The FTC has pursued enforcement actions against both the sender (the affiliate) and the advertiser (the brand whose products were promoted) in the same action.
Minimum safeguards for affiliate email programmes:
- Require all affiliates to sign a compliance agreement explicitly requiring CAN-SPAM adherence
- Review affiliate email creative before it is sent — verify all seven requirements are met
- Maintain a master suppression list that affiliates must honour — if a recipient has unsubscribed from your brand's communications, an affiliate promoting your products should not be sending to that address either
- Audit affiliate sends periodically and remove affiliates who cannot demonstrate compliance
Reactivation Campaigns
Sending to inactive subscribers — people who have not engaged with your emails in 6–12 months — raises a question: can you email them? Under CAN-SPAM, yes — if they have not unsubscribed, they are still on your list and you can email them. Under GDPR (for EU subscribers), this is more complicated if your legal basis was consent that has effectively lapsed.
Best practice: Run a re-engagement campaign to inactive subscribers before suppressing them, as covered in our email list segmentation guide. But do this not because CAN-SPAM requires it — it does not — but because inactive subscribers generate low engagement signals that harm your inbox placement for your entire domain.
CAN-SPAM Compliance Checklist
Use this before every commercial email campaign.
Header and sender identity
- From name accurately identifies your business or a real person at your business
- From email address is a functioning, real address
- Reply-To address (if different) is a functioning, real address
- No spoofed or forged routing information in email headers
Subject line
- Subject line accurately reflects the content of the email
- No false urgency or misleading implications in the subject line
- No "Re:" or "Fw:" implying a prior conversation that does not exist
Content identification
- The email's commercial nature is apparent from its content
- Any advertorial or sponsored content is clearly disclosed as such
Physical address
- A valid physical postal address is included in the email body (typically in the footer)
- The address is a current, functioning address where mail can be received
- The address is not hidden — it is readable without difficulty
Unsubscribe mechanism
- An unsubscribe link or clear unsubscribe instructions are present in every email
- The unsubscribe link is functional and will remain functional for at least 30 days
- The unsubscribe process does not require payment or excessive personal information
- Unsubscribe requests are processed within 10 business days
- Unsubscribed addresses are permanently suppressed from future commercial sends
Third-party compliance
- If any third party is sending on your behalf, their emails have been reviewed for all of the above
- Affiliates are under a written compliance agreement
- Your suppression list is shared with all parties sending commercial email on your behalf
Post-send
- Unsubscribe mechanism confirmed functional after send
- Any unsubscribe requests received are being processed within the 10-business-day window
- Opted-out addresses are not being passed to other commercial senders
CAN-SPAM Violations and Enforcement
Who Enforces CAN-SPAM
The FTC is the primary CAN-SPAM enforcement body and has the authority to seek civil penalties of up to $51,744 per violation. The Department of Justice can seek criminal penalties — including imprisonment of up to 5 years — for aggravated violations such as harvesting email addresses, using dictionary attacks to generate addresses, or registering multiple email accounts to send commercial email.
State attorneys general can bring civil actions on behalf of their state's residents. Internet service providers can bring civil actions for violations that harm their networks or customers.
What Triggers Enforcement
CAN-SPAM enforcement is complaint-driven — the FTC and state AGs investigate based on complaints filed with the FTC (reportfraud.ftc.gov) or forwarded from ISPs. Practices that reliably trigger complaints and enforcement attention:
- Using purchased or harvested email lists without meeting the seven requirements
- Ignoring unsubscribe requests or making it difficult to unsubscribe
- Using deceptive subject lines or From names
- Sending from domains that obscure the sender's identity
- Running affiliate programmes without compliance oversight
Notable Enforcement Actions
The FTC has pursued enforcement against businesses across sectors — from mortgage companies sending deceptive subject lines to MLM organisations using affiliates without compliance controls to software companies harvesting email addresses. Fines in individual actions have ranged from tens of thousands to millions of dollars, often combined with injunctive relief requiring compliance programmes and auditing.
The most effective protection against enforcement is a clean compliance programme — the checklist above, applied consistently, addresses every element the FTC has cited in enforcement actions.
Frequently Asked Questions
Is CAN-SPAM an opt-in or opt-out law?
CAN-SPAM is an opt-out law. Unlike GDPR (EU/UK) and CASL (Canada), which require prior consent before sending commercial email, CAN-SPAM permits commercial email to US recipients without prior opt-in — provided all seven requirements are met and recipients can unsubscribe. This is a fundamental difference that many US businesses confuse when dealing with international subscribers. For US recipients, you can legally send a first commercial email without prior consent. For Canadian recipients, you generally cannot. For UK and EU recipients under GDPR, you need a lawful basis — typically consent — for marketing email.
What is the fine for violating CAN-SPAM?
The FTC can seek civil penalties of up to $51,744 per individual violation. Each non-compliant commercial email constitutes a separate violation — a campaign of 50,000 non-compliant emails is theoretically 50,000 violations. In practice, the FTC pursues systemic violations rather than individual emails, and actual fines in enforcement actions reflect the scale and severity of the violation. Criminal penalties — fines and imprisonment — apply to aggravated violations such as using harvested addresses, running zombie computers to send email, or using relay servers to conceal the origin of email.
Does CAN-SPAM apply to B2B email?
Yes. CAN-SPAM applies to all commercial electronic messages regardless of whether the recipient is a consumer or a business. Cold outreach to business contacts is subject to CAN-SPAM in exactly the same way as consumer-facing promotional email — the seven requirements apply equally. The common misconception that B2B email is exempt from CAN-SPAM has no basis in the law.
How long do I have to honour an unsubscribe request under CAN-SPAM?
10 business days from the date the opt-out request is received. After this window, you must not send any further commercial emails to the opted-out address. Best practice — and what Migomail implements automatically — is to process unsubscribes immediately in real time, well within the legal window. Delayed processing is the single most common source of CAN-SPAM complaints because recipients who unsubscribe and continue to receive email are highly motivated to report violations.
Can I email someone again after they unsubscribe if they later give me their email address again?
Yes — if a recipient who previously unsubscribed subsequently provides a new, affirmative opt-in (by filling out a sign-up form, checking an opt-in box at checkout, or explicitly requesting to be added to your list), you may resume commercial sending. The prior unsubscribe does not create a permanent bar to all future commercial contact. However, the new consent must be genuine and documented — you cannot assume renewed consent from a transaction or customer service interaction without an explicit marketing opt-in component.
Summary
CAN-SPAM's seven requirements are clear, operational, and non-negotiable for any US commercial email sender:
- No false or misleading header information — From name and address must accurately identify the sender
- No deceptive subject lines — subject must reflect content
- Identify the message as an advertisement — commercial nature must be apparent
- Include a physical postal address — valid, current, in every email
- Clear unsubscribe mechanism — visible, functional, no barriers
- Monitor third parties — you are responsible for senders acting on your behalf
- Honour opt-outs within 10 business days — permanent suppression, no workarounds
The law is simpler than its reputation suggests. Most CAN-SPAM violations are not from businesses trying to evade the law — they are from businesses that failed to implement the operational basics: a functioning unsubscribe mechanism, consistent physical address inclusion, or an honest subject line policy.
Apply the checklist above to every campaign before sending. Process unsubscribes immediately. Keep your physical address current. These three habits eliminate the vast majority of CAN-SPAM compliance risk.
For international email programmes — Canadian subscribers under CASL, UK and EU subscribers under GDPR — the requirements are more demanding than CAN-SPAM. Our CASL compliance guide covers Canada's opt-in requirements in detail.
Start your free trial to access Migomail's CAN-SPAM-ready email infrastructure — automatic unsubscribe processing, physical address management in email footers, and Migomail's bounce management for real-time suppression of opted-out and bounced contacts.
This guide provides general informational content about the CAN-SPAM Act and should not be construed as legal advice. Email marketing law is jurisdiction-specific and fact-sensitive. Consult a qualified attorney for advice specific to your business situation and subscriber geography.
