Email spam on a computer screen

CAN-SPAM Compliance: What Email Marketers Need to Know

It may not have an outstanding reputation, but the United States CAN-SPAM Act of 2003 was one of the first pieces of legislation to try and tackle the issue of email spam.

If you send commercial emails, some of the best practices you follow today came about thanks to CAN-SPAM compliance. At the time that CAN-SPAM became law, unsolicited emails were growing into an issue that was serious enough for lawmakers to take action.

Though there may be plenty of flaws in the legislation, we likely owe the survival of the legitimate email marketing industry, in part, to CAN-SPAM’s efforts to reign in the wild west of email.

What prompted some to call it the “You-Can-Spam” Act? Does your company have to worry about CAN-SPAM compliance? What happens if you violate this anti-spam law? Let’s dig into the details ...

What is the CAN-SPAM Act?

President George W. Bush made email history when he signed the bipartisan bill into law in 2003. The CAN-SPAM Act overrode pre-existing anti-spam laws at the state level. That’s one of the primary critiques of the federal law. Some say CAN-SPAM was an attempt to undermine a much more restrictive anti-spam law in California.

CAN-SPAM stands for, “Controlling the Assault of Non-Solicited Pornography and Marketing.” The goal is to protect consumers from unwanted, sometimes dangerous messages. Why? Because people were suffering through hundreds of unsolicited emails.

Back in the day, outlaw spammers quickly recognized email as a way to reach millions of people to get a few sales at best -- or to do something much more malicious.

We’re going to ride our trusty ole steed into the dry desert air and explore the details of CAN-SPAM, what it covers, what it doesn’t, and how exactly companies can stay on the good side of the law.

Following CAN-SPAM compliance might save you from a hefty federal bounty while supporting healthy email deliverability. So there’s a lot of motivation to stay on marked trails. Let’s head on out.

CAN-SPAM compliance: 7 Keys to the law

The Federal Trade Commission (FTC) summarizes the law into seven main points:

1. Don’t use false or misleading header information

The “From:” and “To:” fields in an email must accurately reflect the sender and the recipient. That includes the email address, domain, and the name of the business or person sending the email.

2. Don’t use deceptive subject lines

Subject lines should not misrepresent the contents of commercial emails.

3. Identify the message as an ad.

While you don’t need to outright proclaim an email as an advertisement, the FTC says marketers “must disclose clearly and conspicuously that your message is an advertisement.”

4. Tell recipients where you’re located

A physical mailing and/or street address must be present in the email message.

5. Tell recipients how to opt out from future emails

This may be the most important CAN-SPAM requirement. Commercial emails must have a way to stop receiving those messages if desired. Whatever method is chosen, the process of opting out should be clear and easy to understand/act upon.

6. Honor opt-out requests promptly

Once an individual opts out of commercial emails, senders have 10 business days to comply with the request.

7. Monitor what others are doing on your behalf

If you hire another company to handle email marketing tasks (an agency, a tech platform, etc.) you are still responsible for ensuring those parties follow the law on your behalf.

More on CAN-SPAM and unsubscribe compliance

While CAN-SPAM itself doesn’t require companies to get permission before sending an initial commercial message, you must provide an opportunity for recipients to unsubscribe and honor that request in a timely manner.

The notice and instructions must be clear to understand and the process must take place through the internet. No, you can’t require that someone call an 800 number or visit your office to opt out.

You must always provide the option to unsubscribe from all commercial messages but can offer alternatives such as to remain subscribed only to monthly newsletters.

Businesses must complete unsubscribe requests within ten days and provide the option to make a request for at least 30 days after the email is sent.

Finally, you can’t charge a fee, request additional personal information, or require subscribers to visit more than a single page to unsubscribe. Basically — no tricks!

More on CAN-SPAM compliance and content

The content of your email not only establishes whether your message is commercial or transactional, it dictates a large portion of compliance. Again, the theme here is to be transparent about your company and intentions.

Your header information must be accurate. The “From” name must identify your company and the “To” name and “Reply-To” information must be accurate along with the originating domain and email address.

Your subject line can’t be deceptive and must identify the email as an ad. There’s a lot of wiggle room in this area and no specific language your subject line must use. Essentially, it means marketers shouldn’t promise one thing in the subject line and deliver something else once the email is viewed.

The message, in addition to information about opting out, must list a valid United States postal address or comply with USPS regulations for private mailboxes.

Finally, if a message contains sexually explicit material, there is a requirement for subject lines: The first 19 characters must include, “SEXUALLY-EXPLICIT.” And if the recipient hasn’t provided affirmative consent to receive sexually-explicit content, such content must only be visible after subscribers take intentional action such as scrolling or clicking a link. This is known as the “brown paper bag” rule.

CAN-SPAM compliance and sender behavior

Regulators generally frown upon what’s considered “funny business.” So, while the law contains substantial gray areas, marketers that deliberately attempt to break the rules are often going to catch the attention of the FTC.

Behaviors such as harvesting email addresses, using false information to register for multiple email accounts, relaying messages to mislead others about the origins of an email, or sending spam from someone else’s computer are criminally punishable.

And once an opt-out request has been received, marketers can’t sell or transfer the email address to circumvent the recipients’ intentions.

It should also be noted that, to help close a potential loophole, the companies being advertised can be held liable even if the message is sent by a third party. You can’t outsource email marketing to get around the law. That’s why it’s very important to know the reputation of third-party partners and the procedures they use that may impact your compliance with anti-spam laws.

Who must comply with CAN-SPAM?

The CAN-SPAM Act reaches widely throughout the business world as it applies to any sort of commercial email — bulk sending of emails is not a requirement to trigger a violation. So if you’re an email marketer, of any kind, you need to be mindful of CAN-SPAM compliance.

The primary situation in which a company wouldn’t need to worry about CAN-SPAM is if the email is purely relational or transactional. And that begs the questions:

What is considered a commercial email?

CAN-SPAM defines a commercial email as, “Any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.”

If the main reason for sending an email is to sell something, it’s a commercial email.

What is a transactional or relational email?

A transactional email provides an update to an already agreed-upon commercial transaction or relationship. For eCommerce, this would be something like advising a customer that their order has shipped. In B2B, it might be a quote or a reminder about an upcoming meeting.

The FTC lists five kinds of content that are acceptable in a transactional or relational email:

  1. Updates about an order or previously agreed-upon transaction.
  2. Warranty, recall, safety, or security information.
  3. Change in terms, features, or account information for a membership, subscription, account, loan, or another ongoing relationship.
  4. Employment information or employee benefits.
  5. Actual delivery of goods or services as part of a transaction the subscriber has agreed to.

As long as the message only contains these kinds of content and doesn't contain false or misleading information, CAN-SPAM probably doesn’t apply.

Understanding an email’s primary purpose

Because CAN-SPAM only applies to commercial emails, it’s incredibly important to understand whether or not what you’re sending is, in fact, commercial.

This becomes complicated, however, because there are times that an email can be considered both transactional and commercial. In this case, the law goes back to “the primary purpose.”

You can determine the primary purpose by analyzing both the subject line and content of the email:

If a message contains both commercial and transactional information, but the subject line sounds, to an average subscriber, like it’s commercial, the email is considered commercial.

If the subject line sounds transactional (“Your order status has been updated”), but the email primarily contains promotional messages, it is, again, considered commercial.

However, if you send a receipt with a reasonable subject line (“Receipt for today’s purchase”) you can include a short promotional message — but it needs to come below the primary transaction information and remain a small portion of the content.

In summary, to be confident an email is considered transactional:

  • Have a clear, non-promotional subject line.
  • Put the transactional information at the beginning.
  • Keep promotional content secondary both in volume and positioning.

This order confirmation and thank you email from Huckbery is a nice example:

CAN-SPAM compliant Huckberry transactional email with promotion
Via Really Good Emails

The subject line is obviously transactional, and that’s the kind of content the customer sees when the email is opened. All the links for order tracking and the receipt info are there. But, there’s also a section at the bottom of the email with “trending products.” Because it’s primary purpose is transactional, there is no unsubscribe link.

No marketer wants to miss a promotional opportunity, but CAN-SPAM’s potential consequences are no joke. James Glover, CEO of Coherent Path, offers a pretty simple way to break things down:

“My advice to eCommerce email marketers who combine relational and promotional emails is to always go above and beyond the minimum requirements. Treat your customer how you would want to be treated. If they’ve given you permission to email them, don’t abuse that channel. Use it to help the customer and say something relevant every time they open their email. As my mom used to say: if you can’t say something nice, then don’t say anything at all.”

Who enforces CAN-SPAM?

The Federal Trade Commission (FTC) is the primary agency tasked with enforcing CAN-SPAM compliance. The FTC even had the power to create a national do-not-email list similar to the do-not-call registry that exists today. However, the commission decided against this action.

While most enforcement lies with the FTC, state attorneys general, the FCC, and ISPs can take action in rare cases. The FCC is specifically responsible for creating rules to “protect consumers from unwanted mobile service commercial messages.”

But, to the frustration of critics, the law prevents individuals from bringing a suit against spammers. So, in some ways, it takes away the rights of individual subscribers because it preempts most state laws — many of which were more aggressive and allowed individuals to seek compensation.

The FTC has periodically reviewed CAN-SPAM over the years to provide follow-up reports and recommend changes.


In a 2005 follow-up report by the FTC, the committee noted two successful overall outcomes. The first was the adoption of “commercial email ‘best practices’ that many legitimate online marketers are now following.” And the second was the ability for ISPs and law enforcement agencies to use the CAN-SPAM act as a means for action against spammers.


In 2008, the law was updated in several ways:

  1. Outlined that subscribers could not be forced to pay a fee to unsubscribe.
  2. Clarified the definition of “sender”.
  3. Noted that an accurately registered post office box or private mailbox in compliance with USPS regulations would satisfy the act’s requirement of a physical postal address.
  4. Updated the definition of “persons” to specify that protections applied to more than just natural persons.


The law was once again reviewed in 2019. The FTC solicited feedback from the public about potential changes as well as whether it provides a meaningful benefit to consumers and/or economic burdens on commercial entities.

The large majority of public feedback favored keeping the rule and the committee unanimously voted to uphold it without changes.

What are the penalties for CAN-SPAM violations?

Failure to follow the rules for CAN-SPAM compliance may result in some serious financial damage, while more aggravated violations can result in jail time.

How much can you get fined for a CAN-SPAM violation?

Each individual email can be subject to penalties of up to $43,792.

If you’re found guilty of additional, more severe kinds of trickery, penalties can include jail time. These include things like, according to the FTC’s site, “relaying or retransmitting multiple spam messages through a computer to mislead others about the origin of the message, harvesting email addresses, or taking advantage of open relays or open proxies without permission.”

It’s more than a threat — the first person was criminally sentenced in 2004 as a result of CAN-SPAM act violations.

Marketo reports successful fines of $900,000 levied against an IT company and a $2.5 million judgment against a pharmaceutical company, both stemming from misleading headers, subject lines, and the inability for subscribers to opt out.

These penalties aren’t small — they’re enough to get anyone’s attention and warrant careful steps for CAN-SPAM compliance.

How successful has CAN-SPAM been?

Since CAN-SPAM takes precedence over state laws (many of which were tougher) and prevents individual consumers from filing suits, it’s regarded by many to be ineffective.

Marketo points out that though some cases have resulted in large judgments, it’s “weak.”

Technically, it is still perfectly legal to send unsolicited emails to people in the United States. There is no opt-in requirement in the CAN-SPAM Act. That’s what led some to dub it the You-Can-Spam law. Here’s what the Coalition Against Unsolicited Commerical Email (CAUCE) had to say upon CAN-SPAM becoming law ...

“This legislation fails the most fundamental test of any anti-spam law, in that it neglects to actually tell any marketers not to spam. Instead, it gives each marketer in the United States one free shot at each consumer's e-mail inbox …”

Coherent Path CEO James Glover, who also hosts the Coherent Thoughts podcast, points out that the lack of a consent requirement is a fatal flaw of CAN-SPAM.

“Overall, CAN-SPAM has been largely ineffective at preventing spam emails. One of the greatest things about email marketing, in its ideal form, is that it is a form of permission marketing in which you can build a relationship with a customer. It is the email marketer's responsibility to maintain and build that relationship by delivering content the recipient cares about, or it risks being cut off by customers unsubscribing.

The act unfortunately does not stop spam initiation because it does not require the recipient to give initial permission. One benefit to CAN-SPAM, however, is that it requires senders to give recipients an opt-out and that unsubscribe requests must be processed in a timely manner. ”

Glover believes there are many ways America’s anti-spam law should be updated. The sad reality is that, according to Securelist by Kapersky, spam still made up more than 45% of email traffic in early 2021. See more insights from Coherent Path's Email Marketing Insights Report

Do ESPs help with CAN-SPAM compliance?

Yes, but they can only do so much.

Email service providers will typically prevent marketers from sending campaigns that don’t include an unsubscribe link and contact address. In fact, many include their own email footer by default that contains this information.

Some other ESPs, like Constant Contact, go a step further by verifying the from email address and requiring previous unsubscribers to manually confirm consent before being added back to a list.

But that still leaves a large swath of compliance — like the bulk of the content and how a large portion of the header appears — in the hands of marketers themselves.

The point: email service providers are not going to take care of CAN-SPAM compliance for you.

Check email deliverability before you send

CAN-SPAM compliance might seem tricky, but it really comes down to what James Glover summed up, “treating others the way you want to be treated.” You can take care of the majority of compliance by being transparent with subscribers about the intentions of your email and who it’s from, and by offering an easy way to opt out of future messages.

At Email on Acid, we understand CAN-SPAM compliance, but we're not legal experts. So, we suggest you consult with a legal professional before determining whether or not you’re in compliance. Don’t just take our word for it.

We are, however, experts at helping marketers get the most from each campaign, every time they hit the send button. And considering all that you’ve invested into compliance, much less the email content itself, you want every subscriber to receive your message.

Email on Acid’s email deliverability tool identifies potential issues before you launch your campaign. It runs tests against four of the most popular blocklists and 23 of the most widely recognized spam filters. Even better, it provides actionable steps to resolve issues.

Catch issues before you hit send. See the power of our email deliverability tool.

Give Campaign Precheck a Try!

While you can use our email readiness platform in a variety of ways, we’ve designed the optimal predeployment checklist with Campaign Precheck. It streamlines and simplifies the entire pre-send process for efficiency and accuracy. Log in now to start using Campaign Precheck. Or, sign up for your free trial today!

Start Your Free Trial