CAN-SPAM Act Overview

Everything you need to know about U.S. commercial email law.

Quick Answer

The CAN-SPAM Act is a U.S. federal law that regulates commercial email. It requires truthful headers, honest subject lines, a valid physical address, clear opt-out mechanisms, and prompt honoring of unsubscribe requests within 10 business days. Violations can result in penalties up to $50,000 per non-compliant email.

What Is the CAN-SPAM Act?

The Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM) is the primary law governing commercial email in the United States. Unlike some international regulations that require prior consent, CAN-SPAM establishes an opt-out framework where senders must provide recipients the ability to stop future messages.

The Federal Trade Commission (FTC) enforces CAN-SPAM, with individual states also empowered to bring enforcement actions. Internet service providers can also sue violators. The law applies to any email whose primary purpose is commercial—promoting or advertising a product, service, or content.

The 7 Core Requirements

CAN-SPAM compliance centers on seven mandatory requirements that every commercial email must meet:

1. Accurate Header Information

The "From," "To," "Reply-To," and routing information must accurately identify the person or business sending the message. Using fake or misleading header information is a direct violation. This includes domain names and email addresses that mislead recipients about the message's origin.

2. Non-Deceptive Subject Lines

Subject lines must accurately reflect the email's content. Common violations include subject lines that create false urgency ("RE: Your Order" when there's no previous conversation), promise undelivered content, or use misleading personalization.

3. Identification as Advertisement

Commercial emails must clearly disclose that the message is an advertisement. The law provides flexibility in how this disclosure appears, but it must be clear and conspicuous. Many senders include language like "This is a promotional message from [Company Name]" in the email footer.

4. Valid Physical Postal Address

Every commercial email must include a valid physical postal address. This can be a street address, a post office box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency. The address establishes where the sender can receive legal communications.

5. Clear Opt-Out Mechanism

Recipients must have a clear, conspicuous way to opt out of future commercial emails. The opt-out mechanism must be easy to find, recognize, and use. Common implementations include unsubscribe links in the email footer. The mechanism must remain operational for at least 30 days after the email is sent.

6. Honor Opt-Outs Within 10 Business Days

Once a recipient opts out, senders have 10 business days to stop sending commercial emails to that address. During this period, no additional opt-out requirements (like paying a fee, providing additional information, or taking extra steps) may be imposed.

7. Monitor Third-Party Compliance

If you hire another company to handle email marketing, you're still legally responsible for compliance. Both the company whose product is promoted and the company sending the message can be held liable. This makes vendor selection and oversight critical.

What CAN-SPAM Doesn't Require

Understanding what CAN-SPAM doesn't require is equally important. The law does not require:

  • Prior consent before sending commercial emails (unlike GDPR)
  • Double opt-in confirmation
  • A specific format for unsubscribe mechanisms
  • Instant removal upon opt-out (10 days is the limit)
  • Disclosure of how email addresses were obtained

However, following best practices beyond minimum requirements builds trust and improves deliverability. Platforms like SendroAI implement instant unsubscribe processing and consent tracking even when not legally required.

Penalties for Non-Compliance

CAN-SPAM violations carry severe penalties. Each separate email in violation is subject to penalties of up to $50,120 (adjusted for inflation). For a single campaign to 10,000 recipients, this could theoretically mean over $500 million in penalties.

Additional criminal penalties apply for:

  • Accessing computers without authorization to send spam
  • Using false information to register for email accounts
  • Relaying emails through computers without permission
  • Using automated tools to harvest email addresses
  • Generating email addresses through dictionary attacks

Criminal violations can result in imprisonment. These provisions target the most egregious spamming operations but remind all senders of the law's serious intent.

B2B Email and CAN-SPAM

A common misconception is that CAN-SPAM only applies to consumer marketing. In reality, the law governs all commercial email, including B2B sales outreach. Cold emails to business prospects must comply with all requirements.

However, the law distinguishes between "commercial" and "transactional or relationship" messages. Transactional emails—like order confirmations, account updates, or warranty information—have more flexibility. But emails that promote products or services, even in a B2B context, are fully subject to CAN-SPAM.

Compliance Checklist

Before sending any commercial email campaign, verify these elements:

  • Sender name and email address accurately represent your organization
  • Subject line truthfully describes the email content
  • Email includes clear advertising disclosure
  • Valid physical postal address appears prominently
  • Functional unsubscribe link or mechanism is included
  • Suppression list is current and being applied
  • Third-party vendors have documented compliance processes

How SendroAI Ensures Compliance

Platforms like SendroAI automate CAN-SPAM compliance by enforcing required elements. Every email sent through the platform automatically includes physical address fields, functional unsubscribe links, and accurate sender identification. The system processes opt-outs instantly rather than waiting the allowed 10 days, maintaining cleaner lists and better sender reputation.

SendroAI's suppression list management ensures that unsubscribed contacts never receive future campaigns, even if they're accidentally re-imported. This automated compliance reduces legal risk while letting teams focus on creating effective campaigns.

Ready to Transform Your Outreach?