CAN-SPAM Compliance: The Complete Guide for US Email Marketers (2026)
Everything US email marketers need to know about CAN-SPAM compliance. Requirements, penalties, best practices, and how to avoid violations.
TL;DR - CAN-SPAM Essentials
CAN-SPAM is the US federal law governing commercial email. Unlike GDPR or CASL, you don't need prior consent to send emails, but you must:
- Use accurate "From" names and subject lines
- Include your physical mailing address
- Provide a clear unsubscribe link
- Honor unsubscribe requests within 10 days
- Identify commercial messages as ads (when applicable)
Penalties: Up to $51,744 per email violation. Follow these rules and you're compliant.
Why CAN-SPAM Matters for Your Business
The FTC actively enforces CAN-SPAM. Violations are expensive.
The FTC fined an e-commerce company $145,000 in 2023 for failing to honor opt-outs and using misleading subject lines. These mistakes are completely preventable.
Non-compliant emails face serious consequences:
- ISP blocking (Gmail, Outlook will filter you out)
- Service provider termination (Mailchimp, SendGrid will cancel your account)
- Damage to sender reputation (hard to recover from)
- Loss of customer trust
CAN-SPAM is the most permissive major email law. If you're marketing in the US, compliance is straightforward.
Understanding CAN-SPAM
The Controlling the Assault of Non-Solicited Pornography And Marketing Act became law in 2003. Yes, that's the actual name.
What CAN-SPAM Covers
CAN-SPAM applies to:
- Commercial messages (promoting a product, service, or website)
- Messages sent to US recipients
- Bulk and one-to-one commercial emails
CAN-SPAM does NOT apply to:
- Transactional emails (order confirmations, password resets)
- Relationship messages (account updates, customer service)
- Non-commercial emails (personal correspondence, internal company emails)
The Key Principle: Opt-Out, Not Opt-In
Unlike GDPR or CASL, CAN-SPAM doesn't require you to get permission before emailing someone. It's an "opt-out" law. You can email anyone, but you must let them leave.
This means you CAN:
- Cold email prospects
- Email purchased lists (though we don't recommend it)
- Send unsolicited commercial messages
But you MUST:
- Provide an easy way to opt-out
- Honor opt-out requests promptly
- Follow all other CAN-SPAM requirements
The Seven CAN-SPAM Requirements
1. Don't Use False or Misleading Header Information
Your "From," "To," and "Reply-To" information must be accurate and identify the business sending the email.
Compliant:
- From: "Sarah Johnson at Acme Corp" sarah@acmecorp.com
- From: "Acme Corp Marketing" hello@acmecorp.com
Non-compliant:
- Sending from a domain you don't own
- Using a fake person's name
- Spoofing another company's address
2. Don't Use Deceptive Subject Lines
Your subject line must accurately reflect the email content. No bait and switch.
Compliant:
- "20% Off Winter Jackets - Ends Friday"
- "Your December Invoice from Acme Corp"
- "Quick Question About Your Website"
Non-compliant:
- "RE: Your Order" (when there's no order)
- "Urgent Security Alert" (for a marketing email)
- "You've Won!" (when they haven't)
For more on crafting effective, compliant subject lines, check out our subject line best practices guide.
3. Identify the Message as an Ad
If your message is commercial, you must disclose that it's an advertisement. This requirement is flexible. There's no specific language required.
Most marketers satisfy this by:
- Including promotional language ("Special Offer," "Sale")
- Clear product/service focus
- Obvious commercial intent
You don't need a literal "This is an advertisement" disclaimer unless the email could be confused for something else.
4. Include Your Physical Postal Address
Every commercial email must include a valid physical postal address. This can be:
- Your street address
- A P.O. Box registered to you
- A private mailbox (like UPS Store) registered to you
Put it in your footer:
---
Acme Corporation
123 Main Street, Suite 100
Springfield, IL 62701
Questions? Email us at support@acme.com
5. Provide a Clear Unsubscribe Mechanism
You must include a clear, conspicuous way for recipients to opt-out. The mechanism must:
- Be functional for at least 30 days after sending
- Not require more than the recipient's email address
- Not charge a fee
- Not require the recipient to visit more than one page or take multiple steps
- Not require login to an account
Good unsubscribe links:
- One-click unsubscribe URL
- "Reply STOP to unsubscribe"
- Link to preference center with clear "Unsubscribe from all" option
Bad unsubscribe processes:
- Requiring login
- Asking for additional information
- Multiple pages or confirmation clicks
- Calling or emailing to unsubscribe
- Charging a fee
6. Honor Opt-Out Requests Within 10 Business Days
Once someone opts out, you have 10 business days maximum to stop emailing them. In practice, do it immediately.
You must:
- Stop sending to that email address
- Not sell or transfer the address to another list
- Not use the address for any other purpose
You cannot:
- Charge a fee for processing the opt-out
- Require additional information beyond the email address
- Make them opt-out from each list separately (though you can offer granular preferences)
7. Monitor What Others Do on Your Behalf
If you hire a marketing agency, email service provider, or contractor to send emails for you, you're still legally responsible for their compliance.
You must:
- Verify they understand and follow CAN-SPAM
- Monitor their email practices
- Ensure they honor opt-outs promptly
Choose reputable email service providers that build compliance into their platform.
The Email Compliance Checklist
Use this checklist for every marketing email:
Before Sending
After Someone Unsubscribes
Ongoing
CAN-SPAM Penalties and Enforcement
Each separate email in violation of CAN-SPAM is subject to penalties of up to $51,744.
The FTC brings cases based on:
- Volume of violations (millions of emails = millions in fines)
- Deceptive practices (fake subject lines, fake From names)
- Repeat offenders
- Consumer complaints
Who Can Sue?
- The FTC (federal enforcement)
- State attorneys general
- Internet service providers (ISPs)
- Email service providers (ESPs)
Individual recipients cannot sue under CAN-SPAM, unlike some other consumer protection laws.
What Triggers Enforcement?
- High complaint rates to ISPs
- Consumer complaints to the FTC
- Fraudulent or deceptive practices
- Systematic non-compliance
Special Cases and Common Questions
Q: Can I email someone who gave me their business card?
Yes. CAN-SPAM doesn't require prior consent, so receiving a business card is sufficient.
It's good practice to:
- Email them promptly (while they remember you)
- Reference where you met
- Provide value, not just a sales pitch
- Honor opt-outs immediately
Q: What about purchased email lists?
Legally allowed under CAN-SPAM, but we strongly advise against it.
Purchased lists create problems:
- Recipients don't know you (high spam complaint rates)
- Damages your sender reputation
- Poor engagement and conversion rates
- May violate your ESP's terms of service
- Could violate other laws if the list includes EU or Canadian recipients
Q: Do I need consent to email existing customers?
No. If someone is an existing customer, you can email them marketing messages without prior consent, as long as you:
- Provide an unsubscribe option
- Follow all other CAN-SPAM requirements
- Send relevant messages
Q: What about B2B emails?
B2B email is treated the same as B2C under CAN-SPAM. You can cold email businesses without consent, but must follow all requirements.
Work email addresses at companies are still subject to CAN-SPAM protections.
Q: Can I send one final email after someone unsubscribes?
You can send a confirmation that they've been unsubscribed. Don't use this as an opportunity to:
- Convince them to stay
- Offer one last promotion
- Suggest alternative email lists
Keep it simple: "You've been unsubscribed. Sorry to see you go."
Q: What if someone forwards my email?
If a recipient forwards your email to someone else, you're not responsible for CAN-SPAM compliance for that forwarded message.
However, you cannot:
- Encourage forwarding as a way to build your list
- Email people who received a forward without their consent to your future emails
Q: Are footer links in tiny gray text acceptable?
Technically yes, as long as they're visible and functional. Making your unsubscribe link hard to find is poor practice and may increase spam complaints.
Make it easy for people to leave. They'll either unsubscribe or mark you as spam. Unsubscribes are better for your sender reputation.
CAN-SPAM vs. Other Email Laws
If you're marketing internationally, you may need to comply with additional laws:
GDPR (European Union):
- Requires explicit consent before emailing
- Stricter rules on data collection and storage
- Higher penalties (up to €20 million or 4% of revenue)
CASL (Canada):
- Requires express or implied consent
- Strict record-keeping requirements
- Penalties up to $10 million CAD
If you have recipients in the EU or Canada, you need to comply with those laws in addition to CAN-SPAM.
The Bottom Line
CAN-SPAM compliance is straightforward:
- Be honest
- Let people leave
- Include your address
- Honor opt-outs quickly
Follow these principles and you'll stay compliant while building a quality email list that actually drives results.
The marketers who get in trouble are those who try to trick recipients with fake subject lines, hide unsubscribe links, or ignore opt-out requests. Don't be that marketer.
Need help ensuring your emails are compliant? Use our Subject Line Analyzer to check for spam triggers and misleading language before you send.