CAN-SPAM requires all commercial email to: 1) Not use deceptive headers (From:, Reply-To:), 2) Not use misleading subject lines, 3) Identify the message as an ad (if applicable), 4) Include your physical postal address, 5) Tell recipients how to opt out, 6) Honor opt-outs within 10 business days (2 days recommended), 7) Monitor what others do on your behalf. Penalties: up to $51,744 per email violation. CAN-SPAM does NOT require opt-in — it's an opt-out law.
CAN-SPAM Act: Complete Compliance Guide for Email Marketers (2026)
The 7 CAN-SPAM Requirements
1. No Deceptive Headers
Your From:, Reply-To:, and routing information must accurately identify the sender. Don't pretend to be someone else or use a misleading sender name.
2. No Misleading Subject Lines
The subject line must relate to the email content. "Your account has been suspended" to sell a product = violation. "50% off this weekend" for a genuine sale = fine.
3. Identify as Advertisement (If Applicable)
If the email is a solicitation, it must be identifiable as such. There's flexibility in how — many marketers satisfy this through clear branding and content context rather than a literal "this is an ad" label.
4. Physical Address
Every commercial email must include a valid physical postal address. Options:
- Your business street address
- A PO Box registered with the USPS
- A private mailbox (PMB) registered with a commercial mail receiving agency
This appears in your email footer. Most ESPs require it during account setup.
5. Opt-Out Mechanism
Every commercial email must include a clear way to unsubscribe:
- Visible unsubscribe link in the email body
- The mechanism must work for at least 30 days after sending
- Must not require more than a single action (email reply or one click)
- Cannot require a fee, login, or providing information beyond email address
6. Honor Opt-Outs
Once someone unsubscribes:
- Stop sending within 10 business days (2 days recommended)
- Cannot sell or transfer their email to another sender for marketing
- The opt-out must be permanent (no "re-subscribing" them without new consent)
7. Monitor Third Parties
If you hire someone to send email on your behalf (agency, contractor), you're still legally responsible for compliance. "My marketing agency did it" is not a defense.
CAN-SPAM Compliance Checklist
- Accurate From: name and email address
- Subject line reflects email content
- Physical postal address in email footer
- Clear, conspicuous unsubscribe link
- Unsubscribe mechanism works and is honored within 10 days
- Not using harvested email addresses
- Not sending to addresses purchased from unconsented sources (legal but risky)
- Monitoring compliance of any third parties sending on your behalf
What CAN-SPAM Does NOT Require
- Opt-in consent. Unlike GDPR, CAN-SPAM allows unsolicited commercial email as long as you include opt-out.
- Double opt-in. Not required (but recommended for deliverability).
- Prior relationship. You can email a stranger commercially under CAN-SPAM (with opt-out).
But for deliverability: Just because CAN-SPAM allows unsolicited email doesn't mean ISPs have to deliver it. Gmail, Outlook, and Yahoo filter based on engagement and sender reputation, not legal compliance alone. Sending unsolicited email that generates complaints will damage your reputation regardless of CAN-SPAM compliance.
CAN-SPAM vs GDPR vs CASL
| Requirement | CAN-SPAM (US) | GDPR (EU) | CASL (Canada) |
|---|---|---|---|
| Consent required? | No (opt-out) | Yes (opt-in) | Yes (express or implied) |
| Double opt-in? | No | Recommended | Recommended |
| Unsubscribe? | Required | Required | Required |
| Physical address? | Required | Recommended | Required |
| Penalty | $51,744/email | Up to 4% of global revenue | $10M CAD per violation |
| Applies to | US senders to any recipient | Any sender to EU residents | Senders to Canadian recipients |
If you send internationally, comply with the strictest applicable regulation. See our GDPR email compliance guide and CASL guide for details.
Practitioner note: CAN-SPAM compliance is table stakes — it doesn't guarantee deliverability. I've seen CAN-SPAM-compliant email go to spam every day because the sender had terrible reputation. Legal compliance and deliverability are different problems. Fix deliverability (authentication, reputation, engagement) independently of compliance.
Practitioner note: The physical address requirement catches people off guard. If you work from home and don't want your address in every email, get a PO Box ($20-50/year) or a UPS Store mailbox. Most ESPs won't let you send without a physical address in your account settings.
If you need your email setup reviewed for both compliance and deliverability, schedule a consultation.
Sources
v1.0 · March 2026
Frequently Asked Questions
Does CAN-SPAM require opt-in consent?
No. Unlike GDPR, CAN-SPAM is an opt-out law. You can email someone without prior consent as long as you include an unsubscribe mechanism and honor opt-outs. However, for deliverability, opt-in is still strongly recommended — emailing without consent generates complaints that damage reputation.
What is the penalty for violating CAN-SPAM?
Up to $51,744 per individual email violation. Multiple violations in a single campaign multiply the penalty. For a 10,000-email campaign with violations, theoretical maximum exposure is $517 million. In practice, FTC pursues egregious violators, not technical accidents.
Do I need a physical address in every email?
Yes. Every commercial email must include a valid physical postal address. This can be your street address, a PO Box, or a registered commercial mail receiving agency (private mailbox). No exceptions.
Does CAN-SPAM apply to transactional email?
Transactional email (order confirmations, shipping notifications, account updates) is mostly exempt from CAN-SPAM marketing requirements. However, if transactional email contains significant commercial content, it may be classified as commercial and subject to full requirements.
How fast must I process unsubscribe requests?
Legally: within 10 business days. Best practice: within 2 days. Gmail and Yahoo require functional unsubscribe that works 'promptly.' Most ESPs process unsubscribes instantly. Delayed processing generates complaints and damages deliverability.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.