# CAN-SPAM Compliance

Adherence to the U.S. CAN-SPAM Act, a federal law that sets mandatory rules for commercial email marketing, including requirements for clear identification, opt-out mechanisms, and accurate header information. Non-compliance can result in fines up to $43,792 per violation.

- U.S. federal law requiring accurate headers, subject lines, and sender identification in all commercial emails
- Every marketing email must include a working unsubscribe mechanism and physical mailing address
- Violations can incur fines of up to $43,792 per email, with enforcement by FTC and state attorneys general
- Applies to transactional messages with a commercial element, not purely transactional notifications
- Non-compliance damages sender reputation and increases risk of spam filtering and legal action

## What is CAN-SPAM?

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is a 2003 U.S. federal law that regulates commercial email communications. It applies to any email whose primary purpose is advertising or promoting commercial products or services, regardless of whether the recipient opted in. The law does not require prior permission to send marketing emails, but it imposes strict rules on how those emails must be formatted, labeled, and managed.

CAN-SPAM is enforced by the Federal Trade Commission (FTC), the U.S. Department of Justice, and state attorneys general. Violations are civil matters, meaning senders face financial penalties rather than criminal prosecution. The law applies to emails sent to or from the United States, making it relevant to nearly all commercial email programs.

## Core CAN-SPAM Requirements

Every commercial email covered by CAN-SPAM must meet five core requirements:

First, the email header and sender information must be accurate and not deceptive. This includes the 'From' address, 'To' address, and routing information. You cannot obscure the sender's identity or use misleading domain names.

Second, the subject line must accurately reflect the email's content. Subject lines cannot be deceptive or trick recipients into opening the message. Third, the email must include a clear identification that it is an advertisement or promotional message.

Fourth, all commercial emails must include the sender's valid physical mailing address. This can be your current street address, a post office box, or a private mailbox registered with a mail receiving agency. Finally, every email must include a clear, conspicuous, and easy-to-use mechanism for recipients to opt out of future marketing messages.

1. Accurate header and routing information (From, To, Reply-To)
2. Non-deceptive subject line that reflects email content
3. Clear identification as an advertisement or promotional message
4. Valid physical postal address of the sender
5. Prominent and functional unsubscribe mechanism

## Unsubscribe and Opt-Out Mechanisms

CAN-SPAM requires that every commercial email include a clear, conspicuous, and easy-to-use method for recipients to opt out of future emails. The unsubscribe option must remain visible and functional for at least 30 days after the email is sent. This is typically implemented as a clickable link in the email footer, though alternative mechanisms like a reply-to email address are permitted if equally prominent.

Upon receiving an opt-out request, senders must honor the unsubscribe within ten business days. This means removing the recipient from the mailing list and ceasing all commercial email communications (though transactional emails, password resets, and account notifications can continue). Automated, immediate unsubscribe processing is best practice and improves sender reputation. Charging a fee, requiring login, or asking recipients to complete a form to unsubscribe violates CAN-SPAM.

> **Watch out:** Failing to process unsubscribe requests within ten business days, making the opt-out process difficult, or continuing to email users after they request removal are common violations that can trigger FTC enforcement.

## What CAN-SPAM Does and Does Not Cover

CAN-SPAM applies to any email whose primary purpose is advertising or promoting a product, service, or commercial website. This includes promotional emails, newsletters with ads, cart abandonment messages with a buy button, and event invitations where the sender will profit. It does not apply to purely transactional emails such as order confirmations, shipping notifications, password resets, or account statements—even if they contain promotional content, as long as the primary purpose is transactional.

The law covers both 'mass emails' and individual marketing messages. A single marketing email to one person is subject to CAN-SPAM, not just bulk campaigns. Additionally, CAN-SPAM applies to emails sent by third parties on behalf of a sender (like a marketing agency or email service provider), meaning both the advertiser and the party sending the email can be held liable for violations.

## Best Practices for CAN-SPAM Compliance

To maintain CAN-SPAM compliance and protect your sender reputation, adopt these best practices: use a consistent, recognizable sender name and email address; keep a clear, documented record of how and when subscribers consented to receive emails; segment your list and honor user preferences; monitor your unsubscribe requests and process them promptly; and conduct regular audits of your email templates and campaigns.

Additionally, maintain a suppression list of unsubscribed addresses and ensure no marketing email is sent to anyone on that list. Use clear, descriptive subject lines that match the email content. Include your physical mailing address in the email footer or in a consistent location. Test your unsubscribe link regularly to ensure it functions correctly. Finally, train your marketing and compliance teams on CAN-SPAM requirements so violations do not occur inadvertently.

- Use accurate, consistent sender identification and a recognizable email address
- Maintain documented proof of subscriber consent
- Segment lists and respect user preferences automatically
- Process unsubscribe requests within ten business days
- Include a physical mailing address in every commercial email
- Test unsubscribe links regularly for functionality
- Audit campaigns for deceptive subject lines or headers
- Train staff on CAN-SPAM rules and your internal compliance process

## Penalties and Enforcement

Violations of CAN-SPAM can result in civil penalties of up to $43,792 per email (adjusted annually for inflation), though the FTC typically seeks penalties on a per-campaign basis rather than per individual email. The FTC may also seek injunctions requiring immediate cessation of non-compliant practices, and state attorneys general can pursue their own enforcement actions.

Beyond legal penalties, CAN-SPAM violations damage sender reputation. Internet service providers (ISPs) and email filtering systems flag senders with a history of violations, causing legitimate emails to be filtered as spam. Loss of inbox placement and deliverability directly harm campaign performance and customer relationships. Maintaining CAN-SPAM compliance is therefore both a legal and business imperative.

## Examples

- A retailer sends a weekly promotional email offering discounts. It must include the retailer's physical address, a clear subject line (not 'Hey, check this out'), and a working unsubscribe link that removes the recipient within ten days.
- A SaaS company sends an email announcing a new feature. If the email also includes a sales offer, it is subject to CAN-SPAM and requires the company's physical address and opt-out mechanism.
- An e-commerce site sends a post-purchase thank-you email with the order details and a suggestion to buy related products. If the primary purpose is transactional (confirming the order), it may be exempt from CAN-SPAM, though best practice is to include compliance elements anyway.

## FAQ

### Does CAN-SPAM apply to international recipients?

CAN-SPAM applies to emails sent to or from the United States. If your list includes U.S. recipients, you must comply with CAN-SPAM. If you send only to international addresses outside the U.S., CAN-SPAM does not apply, but local regulations (like GDPR in Europe or CASL in Canada) may.

### Can I charge recipients a fee to unsubscribe?

No. CAN-SPAM requires that the unsubscribe mechanism be free and easy to use. Charging a fee, requiring login, or asking recipients to complete a long form violates the law. The unsubscribe process must be as simple as possible.

### What is considered a 'commercial' email?

A commercial email's primary purpose is advertising or promoting a product, service, or website for commercial gain. Newsletters with promotional content, product announcements, event invitations for which the sender profits, and cart abandonment emails are commercial. Transactional emails (order confirmations, password resets) are not, unless they are primarily promotional.

### Who is liable if an email service provider sends non-compliant emails on my behalf?

Both you (the advertiser) and the email service provider can be held liable for CAN-SPAM violations. Ensure your provider has strong compliance controls and that you review templates and lists before sending. Include contractual compliance clauses with your email service provider.


---

> Source: https://www.bitelio.com/glossary/can-spam-compliance · Updated 2026-07-16