CAN-SPAM Act Compliance Guide for Email Senders
The 7 legal requirements, current penalty amounts, the 2024 enforcement record, and what changed for bulk senders in 2024. Updated for 2026.
What CAN-SPAM Is — and What It Is Not
The Controlling the Assault of Non-Solicited Pornography and Marketing Act was signed into US law in 2003 and remains in force today. The FTC enforces it and adjusts penalties annually for inflation. The 2025 per-email penalty is $51,744 (adjusted from the original $11,000 cap) — with no maximum total fine. A campaign of 10,000 non-compliant emails theoretically exposes the sender to over $500 million in penalties.
The most important misconception about CAN-SPAM: it is not an opt-in law. You can legally send unsolicited commercial email to anyone in the United States, as long as you comply with the 7 requirements below. This is the fundamental difference from GDPR (which requires prior consent for B2C) and CASL (which requires prior consent for almost all commercial messages). CAN-SPAM simply requires that recipients can opt out, and that you honour that opt-out promptly.
A second misconception: CAN-SPAM applies to all commercial email, not just mass marketing. A one-off email from a sales rep promoting a product is subject to CAN-SPAM. The law also applies to emails sent from outside the US if the recipient is in the US — jurisdiction follows the recipient, not the sender.
The 7 CAN-SPAM Requirements
These are not best practices — they are legal requirements. Failure to comply with any one makes each email sent a separate violation.
The "From," "To," "Reply-To," and routing information must accurately identify who is sending the message. Using a false name or spoofed domain in the From field violates this requirement. Note that display names matter — "Customer Service" when the actual sender is a marketing vendor may constitute misleading header information.
The subject line must accurately reflect the content of the message. Subject lines like "Re: your inquiry" when there was no prior inquiry, or "Your account details" for a promotional email, violate this requirement. The FTC examines whether an ordinary person reading the subject line would understand they are about to receive a commercial message.
The law requires "clear and conspicuous" disclosure that the message is an advertisement. The FTC does not specify exact wording, but somewhere in the email it must be apparent the message is commercial. The disclosure can be subtle — small text identifying the sender as a commercial entity sending promotional content generally satisfies this requirement.
Every commercial email must include your organisation's current street address, a PO box registered with the US Postal Service, or a private mailbox registered with a commercial mail receiving agency. This was a direct enforcement point in the 2024 Verkada action — the company lacked a physical postal address in its emails. A valid EU business address satisfies this requirement for non-US senders targeting US recipients.
Every commercial email must contain a clear mechanism for recipients to opt out of future messages — an unsubscribe link, a reply-to address, or equivalent. The mechanism must be functional for at least 30 days after sending. One-click unsubscribe (now required by Gmail and Yahoo for bulk senders) satisfies this requirement and goes beyond it.
You must process opt-out requests within 10 business days. After that period, you may not send additional commercial email to the opted-out address. You cannot charge a fee, require the recipient to give you personal information beyond an email address, or require any steps beyond a single visit to a webpage to opt out. You also cannot sell or transfer the opted-out address to another sender.
This is the least understood requirement. If you hire a marketing agency, email vendor, or affiliate to send commercial email on your behalf, both parties can be held liable for violations. The FTC's position is clear: you cannot claim ignorance of what your vendors are doing in your name. The company whose product is promoted is equally liable to the company that sent the email. This makes third-party email programmes a significant legal exposure if not properly supervised.
The 2024 Enforcement Record — Why This Matters Now
CAN-SPAM enforcement was historically rare — fewer than 30 documented enforcement actions in two decades. That changed in 2024. In August 2024, the FTC and the Department of Justice brought action against Verkada, a security camera company, for CAN-SPAM violations. The resulting penalty — $2.95 million — is the largest CAN-SPAM fine ever levied. The specific violations:
- ✗Sending marketing emails without a functioning opt-out mechanism
- ✗Continuing to send to recipients who had opted out
- ✗Omitting a valid physical postal address from emails
- ✗Mischaracterising promotional emails as account or service notices
The FTC also publicly stated in 2025 that it is using AI and machine learning tools to identify CAN-SPAM violations at scale — analysing subject lines, sender domains, and complaint patterns. The era of CAN-SPAM being an unenforced technicality is over. The FTC has also signalled increased scrutiny of affiliate and partner email programmes, where brands have historically claimed plausible deniability for vendor-sent emails.
CAN-SPAM vs the 2024 Gmail and Yahoo Bulk Sender Requirements
In February 2024, Gmail and Yahoo introduced mandatory bulk sender requirements that go significantly beyond CAN-SPAM in several areas. Senders who are only CAN-SPAM compliant — but not compliant with the new ISP requirements — face deliverability consequences even if they face no legal penalty.
| Requirement | CAN-SPAM | Gmail/Yahoo 2024 |
|---|---|---|
| Unsubscribe | Within 10 business days | Within 2 days (one-click) |
| Authentication (SPF, DKIM, DMARC) | Not required | Mandatory for bulk senders |
| Spam complaint rate | Not specified | Below 0.10% (enforced) |
| List-Unsubscribe header | Not required | Required (bulk senders) |
| Physical address | Required | Not specified |
The practical implication: legal CAN-SPAM compliance is the minimum bar. Operational deliverability compliance requires meeting the Gmail and Yahoo 2024 standards, which are stricter on authentication, unsubscribe speed, and complaint rate management.
CAN-SPAM and B2B Email — What the Law Actually Says
CAN-SPAM explicitly states it makes no exception for business-to-business email. Every commercial email sent to a business address must comply with all 7 requirements. The FTC's compliance guide says this directly: "The law makes no exception for business-to-business email."
In practice, however, the commercial email that generates FTC enforcement attention is high-volume consumer email, not low-volume B2B outreach. Cold email to business contacts generally presents lower legal risk under CAN-SPAM than mass B2C marketing — not because B2B email is exempt, but because the enforcement priority is different.
The key distinction: transactional email is excluded from most CAN-SPAM requirements. An email confirming a purchase, delivering a product, or responding to a customer inquiry is transactional, not commercial. The primary purpose of the message determines which category applies. A transactional email that includes a promotional postscript becomes a commercial message if the promotional content is the dominant purpose.
Implementation Checklist
Use this checklist before launching any commercial email programme or reviewing an existing one. Every commercial email that goes out should satisfy all seven items.
Key Numbers
Related Compliance Guides
Infrastructure compliance note
CAN-SPAM compliance is the legal minimum. Gmail and Yahoo's 2024 bulk sender requirements — mandatory SPF, DKIM, DMARC, and one-click unsubscribe — are the operational minimum for inbox delivery. Our infrastructure includes all authentication setup and unsubscribe header configuration by default.
See Infrastructure Plans →