- The CAN-SPAM Act applies to all commercial email sent in the United States, regardless of whether recipients opted in. It is an opt-out law, not an opt-in law.
- Every commercial email must include accurate From and Reply-To information, a non-deceptive subject line, clear identification as an advertisement, a valid physical postal address, and a functional unsubscribe mechanism.
- Opt-out requests must be honored within 10 business days. After unsubscribing, recipients cannot be emailed again or have their address sold or transferred.
- Violations can result in penalties up to $51,744 per non-compliant email, with no cap on total fines. The sender is liable even when third parties send on their behalf.
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act) is the federal law governing commercial email in the United States. Enacted in 2003 and enforced by the Federal Trade Commission, it applies to any email whose primary purpose is commercial, including promotional messages, newsletters, and advertising campaigns.
Despite being over 20 years old, CAN-SPAM remains actively enforced and directly relevant to every organization that sends marketing email to U.S. recipients. Understanding its requirements is not just a compliance exercise; it is also foundational to good deliverability practice, since the behaviors CAN-SPAM mandates align closely with what mailbox providers expect from legitimate senders.
Who Does the CAN-SPAM Act Apply To?
CAN-SPAM covers any electronic mail message whose primary purpose is the commercial advertisement or promotion of a product or service. This includes business-to-consumer (B2C) and business-to-business (B2B) email. The law applies based on where the recipient is located (United States), not where the sender is based.
The Act distinguishes between two types of email:
- Commercial email: Messages whose primary purpose is advertising or promotion. Subject to all CAN-SPAM requirements.
- Transactional or relationship email: Messages related to an agreed-upon transaction, account updates, warranty information, or an ongoing business relationship. Exempt from most CAN-SPAM requirements, but still cannot contain false or misleading routing information.
Important: CAN-SPAM is an opt-out law, not an opt-in law. Unlike GDPR (EU) or CASL (Canada), it does not require prior consent before sending commercial email. However, it does require a functioning opt-out mechanism and prompt honoring of unsubscribe requests.
The Seven Core CAN-SPAM Requirements
1. Accurate Header Information
The From, To, Reply-To, and routing information in your email must accurately identify the person or business that initiated the message. Using a misleading domain name, a fake sender name, or deceptive routing information is a violation. This requirement applies to both commercial and transactional email.
2. Non-Deceptive Subject Lines
Your subject line must accurately reflect the content of the email. Misleading subject lines that trick recipients into opening a message are illegal. Common violations include false urgency ("Your account has been suspended" for a promotional offer), fake personal relationships ("Re: Our conversation"), or bait-and-switch content.
3. Identification as an Advertisement
Commercial email must include a clear and conspicuous disclosure that the message is an advertisement or solicitation. The law gives flexibility in how this is done; a footer statement like "This is a promotional message" or similar language is typically sufficient. The disclosure must be visible, not hidden in fine print.
4. Valid Physical Postal Address
Every commercial email must include your valid physical postal address. This can be a street address, a post office box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency. This requirement cannot be satisfied with an email address or URL alone.
5. Functional Unsubscribe Mechanism
Every commercial email must include a clear, conspicuous mechanism for recipients to opt out of future messages. The opt-out method cannot require the recipient to pay a fee, provide personal information beyond an email address, or take any steps other than sending a reply email or visiting a single web page. The unsubscribe mechanism must remain functional for at least 30 days after the message is sent.
6. Honoring Opt-Out Requests Promptly
Once a recipient opts out, you must stop sending them commercial email within 10 business days. After they unsubscribe, you cannot sell, transfer, or share their email address with anyone else (except to a company you have hired to help you comply with CAN-SPAM). This is where suppression lists become critical for compliance.
7. Third-Party Accountability
If you hire another company to handle your email marketing, you are still legally responsible for CAN-SPAM compliance. The law holds both the company whose product is promoted and the company that actually sends the message jointly liable. You cannot outsource compliance or claim ignorance of your vendor's practices.
What Is Exempt: Transactional Email
Transactional email is largely exempt from CAN-SPAM's commercial email requirements, but only if the primary purpose of the message is genuinely transactional. The FTC defines transactional content as messages that:
- Facilitate or confirm a previously agreed-upon transaction (order confirmations, receipts)
- Provide warranty, recall, or safety information about a purchased product
- Notify the recipient of changes to a subscription, membership, or account terms
- Deliver regular account statements or balance information
- Relate to an employment relationship or benefits plan
Transactional emails are still prohibited from containing false or misleading routing information. And if a "transactional" email contains significant promotional content, the FTC may reclassify it as commercial, subjecting it to all CAN-SPAM requirements.
If your transactional emails include promotional content (cross-sell recommendations, discount codes, referral incentives), you are risking CAN-SPAM classification as commercial email. Keep transactional and promotional content strictly separated to avoid compliance issues.
How CAN-SPAM Compliance Supports Deliverability
CAN-SPAM compliance and good sender reputation are closely aligned. The behaviors the law requires are the same ones mailbox providers reward:
| CAN-SPAM Requirement | Deliverability Benefit |
|---|---|
| Accurate From/Reply-To information | Supports SPF/DKIM/DMARC alignment |
| Honest subject lines | Reduces spam complaints from misled recipients |
| Functional unsubscribe | Lowers complaint rates; satisfies Google/Yahoo sender requirements |
| Prompt opt-out honoring | Prevents repeated complaints from the same recipient |
| Physical address included | Signals legitimacy to content-based spam filters |
Organizations that treat CAN-SPAM compliance as a deliverability strategy, not just a legal checkbox, consistently achieve better inbox placement. The 2024 Google and Yahoo bulk sender requirements went further than CAN-SPAM in several areas (requiring one-click unsubscribe headers, enforcing complaint rate thresholds, mandating authentication), but CAN-SPAM remains the legal baseline.
CAN-SPAM vs. GDPR vs. CASL
CAN-SPAM is one of the more permissive email regulations globally. Understanding how it compares to other major frameworks helps organizations that send to international audiences:
| Feature | CAN-SPAM (U.S.) | GDPR (EU) | CASL (Canada) |
|---|---|---|---|
| Consent model | Opt-out (no prior consent needed) | Opt-in (explicit consent required) | Opt-in (express or implied consent) |
| Unsubscribe timeline | 10 business days | Without undue delay | 10 business days |
| Physical address required | Yes | Yes (data controller info) | Yes |
| Maximum penalty | $51,744 per email | Up to 4% of global revenue | $10M CAD per violation |
| B2B emails covered | Yes | Varies by member state | Yes |
| Applies to transactional? | Partially (routing info only) | No (legitimate interest basis) | No (if purely transactional) |
If you send email internationally, you must comply with the strictest applicable law. A sender who is CAN-SPAM compliant may still violate GDPR or CASL if they send to EU or Canadian recipients without proper consent.
Common CAN-SPAM Violations to Avoid
- Broken unsubscribe links: If your unsubscribe page is down, redirects to a login wall, or requires multiple steps, you are in violation. Test your unsubscribe mechanism regularly.
- Slow opt-out processing: Batching unsubscribes into weekly or monthly syncs creates a window where you may email someone who has already opted out. Process unsubscribes in real-time.
- Missing physical address: Many senders omit this, especially startups and solo operators. A P.O. Box or registered mailbox address satisfies the requirement if you prefer not to list a street address.
- Misleading From names: Using a personal name that does not represent the sender organization (e.g., "Sarah from Customer Success" when no such person exists) may constitute deceptive header information.
- Ignoring affiliate liability: If your affiliate partner sends non-compliant email promoting your product, you share legal responsibility. Vet your partners' practices.
The CAN-SPAM Act does not provide a private right of action for individual consumers. Only the FTC, state attorneys general, and internet service providers can bring enforcement actions. However, individual ISPs including major mailbox providers have used CAN-SPAM provisions to take legal action against spammers.
CAN-SPAM Compliance Checklist
Use this checklist before every commercial email campaign:
- From name and email address accurately identify your organization.
- Subject line honestly represents the email content.
- Email includes a clear identification as an advertisement (if applicable).
- Your valid physical postal address is included in the footer.
- A visible, functional unsubscribe link is present.
- The unsubscribe mechanism requires no more than a reply email or a single web page visit.
- Opt-out requests are processed within 10 business days.
- Your suppression list is applied across all sending platforms.
- Third-party senders and affiliates are CAN-SPAM compliant.
- Transactional emails do not contain significant promotional content.
Frequently Asked Questions
No. CAN-SPAM is an opt-out law. It allows sending commercial email without prior consent, as long as the email complies with all other requirements (accurate headers, honest subject line, unsubscribe mechanism, physical address). However, best practice for deliverability is still to send only to recipients who have opted in.
Yes. CAN-SPAM applies to all commercial email, including messages sent between businesses. If the primary purpose of the email is to advertise or promote a product or service, it is covered by CAN-SPAM regardless of whether the recipient is a consumer or a business.
Each non-compliant email can result in a civil penalty of up to $51,744 (2025 inflation-adjusted amount). There is no cap on total fines, so a campaign sent to thousands of recipients could generate millions in penalties. Aggravated violations, such as using harvested email addresses or accessing computers without authorization to send spam, can result in criminal prosecution and imprisonment.
Partially. Transactional emails (order confirmations, account notifications, shipping updates) are exempt from most CAN-SPAM requirements, but they must still contain accurate routing and header information. If a transactional email includes significant promotional content, it may be reclassified as commercial and subject to all requirements.
CAN-SPAM requires that opt-out requests be honored within 10 business days. However, best practice is to process unsubscribes instantly. Delayed processing increases the risk of sending to someone who has already opted out, which can generate spam complaints and damage your sender reputation.