CAN-SPAM Compliance: The 2026 Guide for US Email Marketers
The CAN-SPAM Act sets seven rules for commercial email sent to US recipients, from accurate headers to a working opt-out honored within 10 business days. This post is general information, not legal advice; the FTC can fine you up to $51,744 per offending email.
Sohail Hussain14 min readCAN-SPAM compliance means meeting seven specific rules every time you send a commercial email to a US recipient: accurate headers, honest subject lines, ad disclosure, a valid physical address, a working opt-out, opt-outs honored within ten business days, and oversight of anyone sending on your behalf. The Federal Trade Commission can fine you up to $51,744 per email; this guide explains what the law actually requires. Not legal advice.
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act) became federal law in January 2004, and the FTC has been enforcing it ever since. It is the baseline for any commercial email landing in a US inbox. According to the FTC's CAN-SPAM compliance guide, the seven rules below apply whether you send one email or a million.
This article is educational and not legal advice. Your specific situation, products, and recipient mix may add complications a qualified attorney should review.
Table of contents
What is the CAN-SPAM Act?
CAN-SPAM is the United States federal law governing commercial email. It applies to any electronic mail message whose primary purpose is the commercial advertisement or promotion of a commercial product or service. Transactional or relationship messages (order confirmations, account notices, receipts) are mostly exempt; the line between the two is sometimes blurry, and the FTC's primary purpose rule explains how to classify mixed messages.
A few things CAN-SPAM is not. It is not an opt-in law; you can legally send a cold commercial email to a US address without prior consent, provided the message meets all seven rules. It does not preempt the stricter rules of states like California (CCPA) or countries like Canada (CASL) and the EU (GDPR). And it does not protect generic role addresses any differently than personal ones; the rules apply to both.
The penalties have climbed steadily. The FTC adjusts the per-email maximum for inflation, and as of the 2024 adjustment, the cap sits at $51,744 per offending email. Multiply that by even a few thousand recipients and the math gets uncomfortable quickly.
Who does CAN-SPAM apply to?
Every business or individual that sends commercial email to a US recipient. There is no small-business exemption, no charity exemption, and no opt-in carve-out; if the message advertises or promotes a product or service, it is in scope.
A common confusion: the law uses two terms, sender and initiator, and both can be on the hook. The sender is the entity whose product or service the message promotes. The initiator is whoever actually sends the email (sometimes an agency, an affiliate, or a partner). The FTC's guidance is clear: when more than one company falls within the definition, you can decide between yourselves who takes responsibility for compliance, but if no one does, all of you remain liable.
I have seen this go sideways twice in customer onboarding calls; both times the brand assumed the agency had compliance handled and the agency assumed the brand did. CAN-SPAM does not let either off the hook. Sort the responsibility out in writing before the first send.
What are the seven CAN-SPAM rules?
Below is the working version I keep in my own head; the FTC's wording is denser but identical in substance.
| Rule | What it requires |
|---|---|
| 1. Header honesty | From, To, Reply-To, and routing info must accurately identify the sender |
| 2. Subject honesty | Subject line must reflect the actual content |
| 3. Ad disclosure | Message must be identifiable as an advertisement |
| 4. Physical address | A valid postal address must appear in every commercial message |
| 5. Opt-out mechanism | Recipient must have a clear way to opt out of future mail |
| 6. Opt-out timing | Opt-outs honored within 10 business days; mechanism live for 30+ days |
| 7. Oversight of senders | You remain responsible for anyone sending on your behalf |
1. Don't use false or misleading header information
Your From line must identify the person or business that initiated the email. The domain must be one you actually control or have permission to use. Reply-To has to route to a real inbox. This is the rule that authentication (SPF, DKIM, DMARC) makes auditable; if your DMARC is failing, the headers technically still pass CAN-SPAM, but Gmail and Yahoo will block you anyway. Our SPF/DKIM/DMARC setup guide covers the mechanics.
2. Don't use deceptive subject lines
The subject must reflect the content. "RE: Your invoice" on a cold pitch is the kind of phrasing the FTC has cited in enforcement actions; so is "FREE iPad inside" when there is no iPad. Persuasive is fine; lying is not. The line is whether a reasonable recipient would feel deceived.
3. Identify the message as an ad
The law gives you flexibility here. You do not need to scream ADVERTISEMENT in the subject; a clear disclosure somewhere in the message is enough. Most senders satisfy this implicitly (a promotional message that looks promotional and comes from a brand the recipient knows is fine). The exception is messages that look like personal correspondence; if a marketing email is dressed up as a one-to-one note, the ad disclosure rule kicks in harder.
4. Tell recipients where you're located
Every commercial email needs a valid physical postal address. Acceptable forms are a current street address, a registered post office box per USPS rules, or a private mailbox registered with a commercial mail receiving agency. A virtual office counts if mail is actually delivered there. The footer of your email is the usual place; it must be visible, not hidden behind dark-text-on-dark-background tricks.
5. Tell recipients how to opt out
Every commercial email must contain a clear, conspicuous explanation of how to opt out. An unsubscribe link is the standard; the law also allows a reply-to opt-out address, but in practice almost no one uses one (and Gmail's one-click unsubscribe expects a link header anyway). The mechanism cannot require the recipient to log in, pay a fee, or give any information other than their email address and opt-out preferences.
6. Honor opt-out requests promptly
You have ten business days to stop sending to anyone who opts out. The mechanism that produced the opt-out must remain functional for at least thirty days after the email was sent. You cannot sell, exchange, or otherwise transfer the email address of anyone who opted out (except to a service provider helping you with compliance).
Ten business days is the legal ceiling; for deliverability reasons, you want suppression in seconds, not weeks. Mailboxes that ignore unsubscribes generate complaints, and complaints kill sender reputation. Mailneo suppresses unsubscribed addresses globally within seconds of the click.
7. Monitor what others do on your behalf
If you outsource email marketing to an agency, affiliate, or partner, you are still on the hook. The FTC has fined brands for the conduct of affiliates the brand never directly authorized. Practical defense: a written agreement, documented approval of templates, and visibility into the lists being used.
How much can CAN-SPAM violations cost?
The current per-email civil penalty maximum is $51,744 (FTC, 2024 adjustment). Penalties are not theoretical. A few cases worth knowing:
- ValueClick paid $2.9 million in 2008 over deceptive advertising and CAN-SPAM violations across affiliate partners; one of the early signals that the FTC would hold companies responsible for affiliate conduct (FTC press release).
- Wyndham Worldwide settled CAN-SPAM and FTC Act charges in 2015 for $17,500 per offending email category, plus injunctive relief.
- In 2020, the FTC settled with American Screening LLC for $7.4 million tied in part to spam-related claims about an unrelated product.
State attorneys general can sue under CAN-SPAM as well, and so can internet service providers. The Microsoft v. Does line of cases, while older, established that platform-level lawsuits can yield seven-figure judgments against high-volume spammers.
For most legitimate operators, the realistic risk is not a $50 million federal judgment; it is a state AG complaint or an FTC inquiry triggered by a competitor or a deluge of consumer complaints. Either is enough to consume months of legal time.
CAN-SPAM vs GDPR vs CCPA: a side-by-side
Most operators eventually send to more than one jurisdiction. Here is the working comparison.
| Dimension | CAN-SPAM (US) | GDPR (EU/UK) | CCPA/CPRA (California) |
|---|---|---|---|
| Consent model | Opt-out; no prior consent required | Opt-in; freely given, specific, informed, unambiguous | Notice at collection; opt-out of sale/share |
| Triggering jurisdiction | Recipient in the United States | Data subject in the EU or UK | Business meeting thresholds and California residents' data |
| Opt-out timing | 10 business days | Immediate (right to object is absolute) | 15 business days for opt-out of sale |
| Max penalty | $51,744 per email | 20M EUR or 4% of global turnover | $7,500 per intentional violation |
| Cold email allowed? | Yes, with compliance | Effectively no | Yes, with notice and opt-out |
If you send to a mixed list, build to the strictest rule that applies to any address on it. Maintaining two signup flows and two unsubscribe systems is more expensive than just running everything to GDPR's bar globally; the math has been clear since at least 2019. Our GDPR email marketing guide covers the European side.
What about transactional emails?
CAN-SPAM treats transactional or relationship messages differently. Order confirmations, shipping updates, password resets, account notices, and similar messages are not commercial email. They still cannot have false header information, but the ad disclosure, physical address, and opt-out rules do not apply.
The hard part is mixed-purpose messages. A receipt that includes a "you might also like" cross-sell is the textbook example. The FTC uses a primary purpose test: if a reasonable recipient would conclude the main point is commercial, the whole message is commercial; if the transactional content is genuinely primary and the commercial bits are incidental, you may stay on the transactional side.
I've watched this debate eat hours in legal review. The clean answer is to separate the two: send the receipt as a pure transactional message and the cross-sell as a separate commercial campaign with full compliance. Cleaner audit trail, fewer arguments.
How do you build a CAN-SPAM compliant unsubscribe flow?
A few specifics that distinguish a good unsubscribe flow from a sketchy one.
One click should remove the recipient from all promotional mail by default. Optional granular preferences (only weekly, only product news) can appear afterward; do not require the recipient to fill out a form to escape. Gmail and Yahoo's 2024 sender requirements force this anyway through the List-Unsubscribe-Post header; CAN-SPAM is the legal floor, not the deliverability ceiling.
The unsubscribe link must not require a login. The FTC has explicitly called out flows that bury the unsubscribe behind a password-protected portal. Use a tokenized link that authenticates the request implicitly.
Suppression must propagate. If a recipient unsubscribes from your newsletter and then signs up for a separate product list two weeks later through a different form, you are allowed to send to them again because they re-consented. But your suppression system has to actually catch the original unsubscribe; mixing up sources, lists, and brands is one of the most common ways well-meaning operators end up with FTC complaints.
(Mailneo's global suppression rolls all of this up to the account level; an unsubscribe on any list suppresses across all lists unless the operator explicitly re-enables. Most customers prefer this default.)
What about purchased lists?
CAN-SPAM does not technically prohibit you from buying a list. It does prohibit harvesting addresses from public websites, generating addresses through dictionary attacks, and using addresses obtained through these methods. It also makes you fully responsible for everything else: header honesty, opt-out, physical address, complaint rates.
In practice, purchased lists are a trap. The acquisition costs are real, the deliverability is terrible (you almost always hit spam traps), and the complaint rate destroys your sender reputation in a week. The legal exposure is the smallest of the problems. Don't.
If you've inherited a purchased list and you're stuck with it, the only defensible move is a re-permission campaign sent from a domain that is not your primary sending identity. Treat the response as the new list. Discard the rest.
Practical CAN-SPAM compliance checklist
Working version, refined across several customer reviews. Run this before every campaign.
- From, To, and Reply-To fields point to identities you control
- SPF, DKIM, and DMARC pass on the sending domain
- Subject line accurately reflects the body
- Message reads as promotional or includes explicit ad disclosure
- Footer contains a current postal address (street, PO box, or registered CMRA)
- Unsubscribe link is visible, one-click, and does not require login
- List-Unsubscribe and List-Unsubscribe-Post headers are present
- Suppression list updates within seconds of unsubscribe click
- Agency, affiliate, and partner sends are documented and approved
- Bounce and complaint feedback loops route into suppression automatically
Key takeaways
- CAN-SPAM is opt-out, not opt-in; you can legally cold email US recipients if the message meets all seven rules
- The current per-email maximum civil penalty is $51,744 as of the FTC's 2024 adjustment
- You have ten business days to honor an opt-out; for deliverability, treat the requirement as seconds
- Both the company being advertised and the company doing the sending are liable; sort responsibility out in writing
- If you also send to EU or California recipients, GDPR and CCPA add stricter requirements on top of CAN-SPAM
Frequently asked questions
Does CAN-SPAM apply to B2B email?
Yes. There is no carve-out for business-to-business commercial email. The same seven rules apply whether your recipient is jane.smith@gmail.com or jane.smith@enterprise.com. The misconception probably comes from Europe; some EU member states allow a narrower "legitimate interest" basis for B2B, but that is GDPR, not CAN-SPAM, and even there the protections still apply.
Can I send a single cold email under CAN-SPAM?
A single cold email is legal if it meets all seven rules. The most common gap I see in cold outreach is the missing physical address; senders who are used to personal-looking one-to-one emails forget the law treats any commercial message the same way. Add a postal address and an unsubscribe option to your cold-email template and you're materially compliant.
Does CAN-SPAM preempt state laws?
Partially. CAN-SPAM preempts state laws that specifically regulate commercial email content. It does not preempt state laws covering fraud, deception, or trespass, and it explicitly does not preempt the CCPA or CPRA in California. So a message can be CAN-SPAM compliant and still violate California consumer privacy law.
What counts as a "valid physical postal address"?
A street address you operate from, a US Postal Service PO Box you have registered, or a private mailbox at a commercial mail receiving agency registered under USPS form 1583. A "virtual office" address counts only if mail sent there is actually delivered to you.
Can I email someone again if they unsubscribed?
Only with a fresh, affirmative consent. If they fill out a new signup form on your site months later, you can email them. If they reply to a transactional message, that does not count as re-consent. Operators sometimes try to argue "they signed up on a partner form" or "we acquired their company" as workarounds; neither defends well under FTC scrutiny.
Related resources
- Mailneo CAN-SPAM tooling and policies
- CAN-SPAM glossary entry
- Unsubscribe glossary entry
- Opt-in glossary entry
- GDPR email marketing guide
- How to set up SPF, DKIM, and DMARC
- How to avoid the spam folder
- How to start email marketing
Further reading (external)
- FTC CAN-SPAM Act compliance guide (ftc.gov)
- FTC primary purpose rule (federalregister.gov)
- FTC 2024 civil penalty adjustments (federalregister.gov)
- RFC 8058: One-Click List-Unsubscribe (ietf.org)
- USPS PO Box information (usps.com)
Explore: Email Compliance
Related Articles
CCPA Email Marketing: What California Privacy Law Means for Your Lists in 2026
The CCPA (as amended by the CPRA) gives California residents rights to know, delete, correct, and opt out of the sale or sharing of their personal information. Email addresses count as personal information; this guide explains what email marketers actually need to do. Not legal advice.
GDPR Email Marketing: What You Need to Know in 2026
GDPR email marketing requires freely given, specific, informed, and unambiguous consent from EU and UK residents before you send commercial email. This is general information, not legal advice; consult counsel for your specific case. Fines reach 20 million euros or 4% of global turnover.
The psychology of email: why people open, click, and buy
Email psychology is the study of the mental shortcuts and emotions that decide whether someone opens, clicks, or ignores an email. Curiosity, self-interest, social proof, urgency, and reciprocity explain most of the behavior; the inbox is a fast-thinking environment where subject lines are persuasion decisions made in under a second.
Cold email vs warm email: when to use each
Cold email vs warm email comes down to consent and context. Cold email targets strangers for B2B outreach (response rates of 1-5%); warm email nurtures opted-in subscribers (open rates of 20-40%). Each has different legal rules, different metrics, and different tools.
Ready to supercharge your email marketing?
Start sending smarter emails with AI-powered campaigns. No credit card required.
Get Started Free