COMPLIANCE GUIDE — UNITED STATES

CAN-SPAM Act Compliance Guide for Email Senders

The 7 legal requirements, current penalty amounts, the 2024 enforcement record, and what changed for bulk senders in 2024. Updated for 2026.

What CAN-SPAM Is — and What It Is Not

The Controlling the Assault of Non-Solicited Pornography and Marketing Act was signed into US law in 2003 and remains in force today. The FTC enforces it and adjusts penalties annually for inflation. The 2025 per-email penalty is $51,744 (adjusted from the original $11,000 cap) — with no maximum total fine. A campaign of 10,000 non-compliant emails theoretically exposes the sender to over $500 million in penalties.

The most important misconception about CAN-SPAM: it is not an opt-in law. You can legally send unsolicited commercial email to anyone in the United States, as long as you comply with the 7 requirements below. This is the fundamental difference from GDPR (which requires prior consent for B2C) and CASL (which requires prior consent for almost all commercial messages). CAN-SPAM simply requires that recipients can opt out, and that you honour that opt-out promptly.

A second misconception: CAN-SPAM applies to all commercial email, not just mass marketing. A one-off email from a sales rep promoting a product is subject to CAN-SPAM. The law also applies to emails sent from outside the US if the recipient is in the US — jurisdiction follows the recipient, not the sender.

The 7 CAN-SPAM Requirements

These are not best practices — they are legal requirements. Failure to comply with any one makes each email sent a separate violation.

1. Don't use false or misleading header information

The "From," "To," "Reply-To," and routing information must accurately identify who is sending the message. Using a false name or spoofed domain in the From field violates this requirement. Note that display names matter — "Customer Service" when the actual sender is a marketing vendor may constitute misleading header information.

2. Don't use deceptive subject lines

The subject line must accurately reflect the content of the message. Subject lines like "Re: your inquiry" when there was no prior inquiry, or "Your account details" for a promotional email, violate this requirement. The FTC examines whether an ordinary person reading the subject line would understand they are about to receive a commercial message.

3. Identify the message as an advertisement

The law requires "clear and conspicuous" disclosure that the message is an advertisement. The FTC does not specify exact wording, but somewhere in the email it must be apparent the message is commercial. The disclosure can be subtle — small text identifying the sender as a commercial entity sending promotional content generally satisfies this requirement.

4. Include a valid physical postal address

Every commercial email must include your organisation's current street address, a PO box registered with the US Postal Service, or a private mailbox registered with a commercial mail receiving agency. This was a direct enforcement point in the 2024 Verkada action — the company lacked a physical postal address in its emails. A valid EU business address satisfies this requirement for non-US senders targeting US recipients.

5. Tell recipients how to opt out of future email

Every commercial email must contain a clear mechanism for recipients to opt out of future messages — an unsubscribe link, a reply-to address, or equivalent. The mechanism must be functional for at least 30 days after sending. One-click unsubscribe (now required by Gmail and Yahoo for bulk senders) satisfies this requirement and goes beyond it.

6. Honour opt-out requests promptly

You must process opt-out requests within 10 business days. After that period, you may not send additional commercial email to the opted-out address. You cannot charge a fee, require the recipient to give you personal information beyond an email address, or require any steps beyond a single visit to a webpage to opt out. You also cannot sell or transfer the opted-out address to another sender.

7. Monitor what others are doing on your behalf

This is the least understood requirement. If you hire a marketing agency, email vendor, or affiliate to send commercial email on your behalf, both parties can be held liable for violations. The FTC's position is clear: you cannot claim ignorance of what your vendors are doing in your name. The company whose product is promoted is equally liable to the company that sent the email. This makes third-party email programmes a significant legal exposure if not properly supervised.

The 2024 Enforcement Record — Why This Matters Now

CAN-SPAM enforcement was historically rare — fewer than 30 documented enforcement actions in two decades. That changed in 2024. In August 2024, the FTC and the Department of Justice brought action against Verkada, a security camera company, for CAN-SPAM violations. The resulting penalty — $2.95 million — is the largest CAN-SPAM fine ever levied. The specific violations:

  • Sending marketing emails without a functioning opt-out mechanism
  • Continuing to send to recipients who had opted out
  • Omitting a valid physical postal address from emails
  • Mischaracterising promotional emails as account or service notices

The FTC also publicly stated in 2025 that it is using AI and machine learning tools to identify CAN-SPAM violations at scale — analysing subject lines, sender domains, and complaint patterns. The era of CAN-SPAM being an unenforced technicality is over. The FTC has also signalled increased scrutiny of affiliate and partner email programmes, where brands have historically claimed plausible deniability for vendor-sent emails.

CAN-SPAM vs the 2024 Gmail and Yahoo Bulk Sender Requirements

In February 2024, Gmail and Yahoo introduced mandatory bulk sender requirements that go significantly beyond CAN-SPAM in several areas. Senders who are only CAN-SPAM compliant — but not compliant with the new ISP requirements — face deliverability consequences even if they face no legal penalty.

RequirementCAN-SPAMGmail/Yahoo 2024
UnsubscribeWithin 10 business daysWithin 2 days (one-click)
Authentication (SPF, DKIM, DMARC)Not requiredMandatory for bulk senders
Spam complaint rateNot specifiedBelow 0.10% (enforced)
List-Unsubscribe headerNot requiredRequired (bulk senders)
Physical addressRequiredNot specified

The practical implication: legal CAN-SPAM compliance is the minimum bar. Operational deliverability compliance requires meeting the Gmail and Yahoo 2024 standards, which are stricter on authentication, unsubscribe speed, and complaint rate management.

CAN-SPAM and B2B Email — What the Law Actually Says

CAN-SPAM explicitly states it makes no exception for business-to-business email. Every commercial email sent to a business address must comply with all 7 requirements. The FTC's compliance guide says this directly: "The law makes no exception for business-to-business email."

In practice, however, the commercial email that generates FTC enforcement attention is high-volume consumer email, not low-volume B2B outreach. Cold email to business contacts generally presents lower legal risk under CAN-SPAM than mass B2C marketing — not because B2B email is exempt, but because the enforcement priority is different.

The key distinction: transactional email is excluded from most CAN-SPAM requirements. An email confirming a purchase, delivering a product, or responding to a customer inquiry is transactional, not commercial. The primary purpose of the message determines which category applies. A transactional email that includes a promotional postscript becomes a commercial message if the promotional content is the dominant purpose.

Implementation Checklist

Use this checklist before launching any commercial email programme or reviewing an existing one. Every commercial email that goes out should satisfy all seven items.

Key Numbers

$51,744
Per-email penalty (2025 inflation-adjusted)
$2.95M
Record CAN-SPAM fine (Verkada, 2024)
10 days
Maximum time to honour opt-out requests
No limit
Maximum total fine — each email is a separate violation

Infrastructure compliance note

CAN-SPAM compliance is the legal minimum. Gmail and Yahoo's 2024 bulk sender requirements — mandatory SPF, DKIM, DMARC, and one-click unsubscribe — are the operational minimum for inbox delivery. Our infrastructure includes all authentication setup and unsubscribe header configuration by default.

See Infrastructure Plans →