CAN-SPAM Act Guide: Requirements & Compliance Checklist

How to Determine Message Type: The FTC uses a "primary purpose" test. If a message contains both commercial and transactional content, evaluate which is the primary purpose:

Primary Purpose Factors:

• Location of commercial vs. transactional content
• Portion of the message devoted to each purpose
• Subject line content
• Overall impression on a reasonable recipient

Mixed Content Example: An order confirmation (transactional) that includes a product recommendation section (commercial) is likely still transactional if the order details appear first and comprise most of the message.

The Seven CAN-SPAM Requirements

CAN-SPAM establishes seven main requirements for commercial email. Violating any of these can result in penalties.

Requirement 1: No False or Misleading Header Information

The "From," "To," "Reply-To," and routing information must be accurate.

What This Means:

• "From" name and email must accurately identify the sender
• Domain names must be ones you legitimately use
• Reply-To addresses must route to you or someone authorized to handle responses

Compliant Examples:

From: "Sarah at BillionVerify" <sarah@billionverify.com>
From: "BillionVerify Marketing" <marketing@billionverify.com>
From: "BillionVerify" <newsletter@billionverify.com>

Non-Compliant Examples:

From: "Customer Service" <support@randomdomain.com>
(if you're not associated with that domain)

From: "Amazon" <deals@notyourdomain.com>
(impersonating another company)

From: "noreply@billionverify.com" with Reply-To pointing to an abandoned mailbox

Technical Considerations:

• Email authentication (SPF, DKIM, DMARC) supports compliance
• Third-party senders must clearly identify the actual sender
• Multiple "From" addresses on same campaign should be consistent

Requirement 2: No Deceptive Subject Lines

Subject lines must accurately reflect the content of the message.

The Standard: Would a reasonable recipient be misled about the subject matter?

Compliant Examples:

Subject: Your weekly marketing tips from BillionVerify
Subject: 20% off email verification - this week only
Subject: New feature announcement: Real-time API
Subject: Quick question about your email strategy

Non-Compliant Examples:

Subject: Re: Your account
(when it's not a reply about their account)

Subject: Invoice attached
(when there's no invoice, just marketing)

Subject: Action required
(when no action is actually required)

Subject: You've won!
(when they haven't won anything)

Gray Area Tactics: Some marketers use curiosity-driven subjects that technically don't mislead but push boundaries. Consider both legal compliance and subscriber trust when crafting subjects.

For more guidance, see our email subject lines guide.

Requirement 3: Identify the Message as an Advertisement

Commercial messages must be identifiable as advertisements.

Flexibility in Implementation: The law doesn't require specific language like "Advertisement" or "Ad." It gives senders discretion in how to disclose the commercial nature of the message.

Acceptable Approaches:

• Header notice: "This is a promotional message from BillionVerify"
• Clear promotional context throughout
• Footer disclosure: "You're receiving this promotional email because..."
• Obviously commercial content (sale announcements, product promotions)

When More Explicit Disclosure Is Needed:

• Content that might be mistaken for personal communication
• Editorial-style content with embedded promotions
• Messages that don't obviously appear commercial

Best Practice: If there's any doubt about whether your message is clearly commercial, add an explicit disclosure.

Requirement 4: Include Physical Postal Address

Every commercial email must include your valid physical postal address.

Acceptable Address Types:

• Current street address
• Post Office box registered with the US Postal Service
• Private mailbox (PMB) registered with a commercial mail receiving agency (like UPS Store)

Format Examples:

BillionVerify, Inc.
123 Main Street, Suite 100
San Francisco, CA 94105

BillionVerify, Inc.
PO Box 12345
San Francisco, CA 94102

Common Mistakes:

• Missing address entirely
• Using address of a location you no longer occupy
• International addresses only (US address required for US recipients)
• Unregistered PO boxes or mailboxes

For International Senders: If you're outside the US but emailing US recipients, you need a valid US postal address. Options include:

• US office address if you have one
• Registered agent address
• Commercial mail receiving service

Requirement 5: Provide Clear Unsubscribe Mechanism

Every commercial email must include a clear, conspicuous way to opt out.

Requirements for Unsubscribe Mechanism:

Easy to Find: Not hidden in fine print or difficult-to-read colors.

Easy to Execute:

• Must be able to unsubscribe with minimal effort
• No fees or charges
• No personal information beyond email address
• No login required
• No jumping through multiple pages

Technology Requirements:

• Link must be functional for at least 30 days after sending
• Must process requests within 10 business days (immediately is better)
• Can use unsubscribe link or email-based opt-out

Compliant Unsubscribe Formats:

[Unsubscribe from this list]

Manage preferences | Unsubscribe

Click here to unsubscribe or email unsubscribe@billionverify.com

Don't want these emails? [Unsubscribe instantly]

Non-Compliant Approaches:

To unsubscribe, send a letter to... (mailing address only)

Unsubscribe by logging into your account and navigating to settings

To unsubscribe, email us with your request and we'll process within 30 days

Requirement 6: Honor Opt-Out Requests Promptly

You must process opt-out requests within 10 business days.

After Processing, You Cannot:

• Send any further commercial emails to that address
• Sell or transfer the email address to another party
• Have another entity send on your behalf

Best Practices:

• Process immediately (within minutes, not days)
• Send confirmation that unsubscribe was processed
• Add to suppression list to prevent re-adding
• Apply across all marketing lists, not just one

Global vs. Selective Unsubscribe: CAN-SPAM allows offering "some" vs. "all" options, but:

• A global unsubscribe must be available
• If they choose global, honor it completely
• Preference centers can offer alternatives

Suppression List Management: Maintain permanent suppression lists to ensure unsubscribed addresses never receive marketing emails again, even if they appear on purchased or partner lists.

Requirement 7: Monitor Third-Party Compliance

You're responsible for what others send on your behalf.

This Applies To:

• Email service providers
• Marketing agencies
• Affiliates and partners
• Contractors and freelancers

Due Diligence Requirements:

• Contractually require CAN-SPAM compliance
• Monitor what's being sent in your name
• Establish approval processes for third-party campaigns
• Respond to complaints about partner-sent emails

Liability Example: If an affiliate sends spam promoting your product with deceptive subject lines and no unsubscribe link, both you and the affiliate may face penalties.

CAN-SPAM Penalties and Enforcement

Understanding the consequences of non-compliance underscores the importance of getting it right.

Civil Penalties

Per-Violation Fines:

• Up to $51,744 per email that violates CAN-SPAM
• Each separate email is a separate violation
• Penalties can multiply quickly with large sends

Example Scenario: Sending 10,000 non-compliant emails could theoretically result in over $500 million in fines. While maximum penalties aren't always assessed, the potential exposure is significant.

Aggravated Violations

Enhanced Penalties Apply For:

• Harvesting: Collecting addresses from websites without permission
• Dictionary Attacks: Generating addresses by combining words/numbers
• Automated Account Creation: Creating accounts to send spam
• Relay or Retransmission: Unauthorized use of other servers
• False Registration: Providing false information for domains or accounts

These practices can result in additional fines and criminal prosecution.

Criminal Penalties

Jail Time Is Possible For:

• Using false identity information
• Hacking to send emails
• Sending via hijacked computers (botnets)
• Using relay servers without authorization

Criminal penalties can include up to 5 years in prison.

Who Enforces CAN-SPAM?

Federal Trade Commission (FTC): Primary enforcement authority for most violations.

State Attorneys General: Can bring actions under CAN-SPAM.

Internet Service Providers: Can sue senders who violate the act.

Other Federal Agencies: FCC, banking regulators for their respective industries.

Notable Enforcement Actions

Significant CAN-SPAM Cases:

Jumpstart Technologies ($900,000): Deceptive subject lines, inadequate unsubscribe.

Phillip Flora ($2.5 million): Spamming pharmaceutical products.

Sanford Wallace ($4 million + criminal charges): Serial spammer with multiple violations.

Qchex ($8.5 million): Deceptive check payment schemes via email.

These cases demonstrate that enforcement is real and penalties are substantial.

CAN-SPAM Compliance Checklist

Use this comprehensive checklist to audit your email marketing program.

Pre-Send Checklist

Sender Information:

• [ ] "From" name accurately identifies sender
• [ ] "From" email address uses legitimate domain
• [ ] "Reply-To" routes to monitored mailbox
• [ ] Domain has valid SPF, DKIM, and DMARC records

Subject Line:

• [ ] Accurately reflects email content
• [ ] Not deceptive or misleading
• [ ] Doesn't falsely suggest prior relationship

Email Content:

• [ ] Commercial nature is identifiable
• [ ] Valid physical postal address included
• [ ] Unsubscribe mechanism present and visible
• [ ] Unsubscribe link is functional
• [ ] No deceptive content or false claims

Unsubscribe Process**:

• [ ] One-click or minimal-step unsubscribe
• [ ] No login required
• [ ] No fee charged
• [ ] No unnecessary personal information requested
• [ ] Confirmation sent after processing
• [ ] Processed within 10 business days (ideally immediately)
• [ ] Suppression list maintained and checked

Ongoing Compliance

List Management:

• [ ] Suppression list checked before every send
• [ ] List sources documented
• [ ] No purchased lists without verified consent
• [ ] Regular email verification to remove invalid addresses
• [ ] Email list hygiene practiced regularly

Third-Party Oversight:

• [ ] Contracts include CAN-SPAM compliance requirements
• [ ] Third-party sends monitored and approved
• [ ] Complaint handling process established
• [ ] Regular audits of partner practices

Documentation:

• [ ] Opt-out processing logs maintained
• [ ] Complaint records kept
• [ ] Third-party agreements documented
• [ ] Compliance training records

CAN-SPAM vs. Other Regulations

Understanding how CAN-SPAM compares to other laws helps navigate multi-jurisdictional compliance.

CAN-SPAM vs. GDPR

Practical Approach: If you email both US and EU recipients, follow GDPR standards—they exceed CAN-SPAM requirements.

For detailed GDPR guidance, see our GDPR email marketing guide.

CAN-SPAM vs. CASL

CASL is significantly stricter than CAN-SPAM. Cold emailing Canadian contacts without proper consent is generally prohibited.

CAN-SPAM vs. CCPA/CPRA

CCPA/CPRA focuses on data privacy rather than email specifically:

CCPA Additions:

• Right to know what data is collected
• Right to delete personal information
• Right to opt out of data sales
• Non-discrimination for exercising rights

While CCPA doesn't directly regulate email content, it affects how you collect, store, and use email addresses.

Common CAN-SPAM Mistakes and How to Avoid Them

Learn from these frequent compliance failures.

Mistake 1: Missing Unsubscribe Link

The Problem: Sending commercial emails without a way to opt out.

How It Happens: Template errors, new employee mistakes, automated sequences without unsubscribe.

The Fix:

• Include unsubscribe in every template
• Audit all automated sequences
• Test every email before sending
• Use ESPs that require unsubscribe links

Mistake 2: Slow Unsubscribe Processing

The Problem: Taking more than 10 business days to process opt-outs.

How It Happens: Manual processes, technical issues, suppression list not synced.

The Fix:

• Automate unsubscribe processing
• Sync suppression lists in real-time
• Test unsubscribe flow regularly
• Set up alerts for processing delays

Mistake 3: Deceptive Subject Lines

The Problem: Using misleading subjects to boost open rates.

How It Happens: Pressure for metrics, not understanding the law, copying spam tactics.

The Fix:

• Train marketing team on compliance
• Review subjects against content
• Avoid "Re:" unless it's a real reply
• Build culture of honest marketing

Mistake 4: Missing Physical Address

The Problem: No postal address in commercial emails.

How It Happens: Template oversight, address not updated after move, international senders unaware of requirement.

The Fix:

• Add address to master templates
• Use footer components that auto-include address
• Audit templates quarterly
• Update immediately when address changes

Mistake 5: Invalid Email Addresses

The Problem: Sending to bad addresses indicates poor list practices and hurts deliverability.

How It Happens: Old lists, purchased data, no verification process.

The Fix:

• Verify emails at point of collection using real-time verification
• Run bulk verification before campaigns
• Remove bounces immediately
• Use BillionVerify for comprehensive list cleaning

Mistake 6: Ignoring Third-Party Compliance

The Problem: Affiliates or partners sending non-compliant emails on your behalf.

How It Happens: Lack of oversight, no contractual requirements, assuming they know the rules.

The Fix:

• Include compliance requirements in all agreements
• Review and approve partner email campaigns
• Monitor complaints and take action
• Conduct periodic audits

Building a CAN-SPAM Compliant Email Program

Beyond checking boxes, build a culture of compliance.

Email Marketing Best Practices

Permission-Based Marketing: While CAN-SPAM doesn't require consent, permission-based marketing outperforms:

• Higher open rates
• Better deliverability
• Fewer complaints
• Stronger customer relationships

See our email marketing best practices guide for more.

List Quality Focus: Maintaining clean email lists supports compliance and performance:

• Regular verification with BillionVerify
• Prompt bounce removal
• Engagement-based segmentation
• Re-permission campaigns for old lists

Transparent Practices: Build trust through transparency:

• Clear sender identity
• Honest subject lines
• Valuable content that matches expectations
• Easy, reliable unsubscribe

Team Training and Culture

Regular Training On:

• CAN-SPAM requirements
• Company email policies
• Complaint handling procedures
• Third-party management

Culture Elements:

• Compliance valued over short-term metrics
• Questions encouraged about borderline practices
• Regular policy reviews
• Learning from industry mistakes

Technical Infrastructure

Essential Technical Setup:

• Email authentication (SPF, DKIM, DMARC)
• Reliable unsubscribe processing
• Suppression list management
• Delivery monitoring
• Complaint feedback loops

Integration with Verification: Integrate email verification into your workflow:

• API verification at signup
• Bulk verification before campaigns
• Automated removal of invalid addresses

Conclusion

CAN-SPAM compliance is straightforward once you understand the requirements. The seven core rules—accurate headers, honest subjects, ad identification, physical address, clear unsubscribe, prompt processing, and third-party monitoring—aren't difficult to follow with proper processes in place.

Key Takeaways:

1. Compliance Is Non-Negotiable: Penalties of up to $51,744 per violation add up quickly. Invest in proper processes.

2. Go Beyond Minimum Requirements: Permission-based marketing performs better than the opt-out minimum CAN-SPAM allows.

3. Unsubscribe Is Sacred: Make it easy, process it fast, and never send to opted-out addresses.

4. Maintain List Quality: Use email verification to ensure you're reaching valid addresses with proper practices.

5. Monitor Third Parties: You're responsible for what others send on your behalf.

6. Document Everything: Maintain records of compliance practices, opt-outs, and third-party agreements.

CAN-SPAM sets the floor for commercial email in the United States, but successful marketers build far above that floor. By combining legal compliance with respect for subscriber preferences and commitment to list quality, you'll build an email program that drives results while staying on the right side of the law.

For broader compliance guidance covering international regulations, see our complete email compliance guide. And ensure every email reaches a valid address by verifying your lists with BillionVerify.