CAN-SPAM Compliance Checklist: What Every Email Marketer Must Follow

Every commercial email sent to a US recipient falls under the CAN-SPAM Act. Not just bulk email. Not just unsolicited email. Every single commercial message. Each violation carries a penalty of up to $51,744 per email, and the FTC can hold multiple parties responsible for the same message, including the brand, the marketing agency, and the email service provider.

Most marketers handle the basics: include an unsubscribe link and use a real From address. But the law has seven distinct requirements, and overlooking even one of them puts your organization at risk. The requirements aren't complicated. They just need to be followed consistently across every campaign, every automated sequence, and every one-off promotional message your team sends.

This checklist covers every CAN-SPAM requirement, common mistakes that trigger enforcement, and the newer email sender requirements from Gmail and Yahoo that layer on top of the law.

What Is the CAN-SPAM Act?

What is the CAN-SPAM Act?

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act) is a US federal law enacted in 2003 that sets rules for commercial email messages. It establishes requirements for sender identification, subject line accuracy, opt-out mechanisms, and message labeling. The law is enforced by the Federal Trade Commission (FTC) and applies to any commercial email sent to or from the United States.

Unlike the EU's GDPR, CAN-SPAM uses an opt-out model, not opt-in. You don't need permission to send the first commercial email. But you must comply with every requirement from the first message onward, and you must honor opt-out requests promptly.

Who Must Comply

CAN-SPAM applies to all "commercial electronic mail messages," which the law defines as any email whose primary purpose is advertising or promoting a commercial product or service. This includes:

• Marketing newsletters and promotional campaigns
• Product announcements and launch emails
• Discount offers, coupons, and sales notifications
• Re-engagement and win-back campaigns
• Lead nurture sequences with promotional content
• Affiliate marketing messages

The law applies regardless of your business size. A solo entrepreneur sending promotional emails from Gmail is subject to the same rules as an enterprise brand sending millions of messages through Salesforce Marketing Cloud.

One often-missed point: if someone else sends email on your behalf (a marketing agency, an affiliate, a contractor), you are still responsible for compliance. The law explicitly states that both the company whose product is promoted and the company that sends the message can be held liable.

The Seven CAN-SPAM Requirements

Here's the complete checklist. Every commercial email you send must satisfy all seven:

1. Use Accurate Header Information

Your "From," "To," and "Reply-To" fields and routing information must accurately identify the person or business sending the message. The sending domain must be one you own or are authorized to use. Spoofed or misleading headers are a violation.

2. Use Non-Deceptive Subject Lines

The subject line must accurately reflect the content of the email. A subject that says "Your order has shipped" when the email is actually a promotional offer is deceptive and violates the law. Bait-and-switch subject lines are one of the most commonly enforced violations.

3. Identify the Message as an Advertisement

Commercial emails must be identifiable as advertisements. The law doesn't require specific wording like "Advertisement" or "Ad," but the commercial nature of the message must be clear. This requirement has some flexibility, and most well-designed marketing emails satisfy it through their content and context.

4. Include Your Valid Physical Postal Address

Every commercial email must include a valid physical postal address. This can be your current street address, a registered PO Box, or a private mailbox registered with a commercial mail receiving agency. Many marketers include this in the email footer alongside the unsubscribe link.

5. Provide a Clear Opt-Out Mechanism

Every commercial email must include a clear and conspicuous way for recipients to opt out of future messages. The opt-out mechanism must be easy to find, easy to use, and must not require the recipient to provide any information beyond their email address. It cannot require logging into an account, answering a survey, or paying a fee. A single-click unsubscribe link satisfies this requirement.

6. Honor Opt-Out Requests Within 10 Business Days

Once a recipient opts out, you must stop sending them commercial email within 10 business days. Your opt-out mechanism must remain functional for at least 30 days after the email is sent. You cannot sell, transfer, or share the opted-out address with any other party for marketing purposes.

7. Monitor What Others Do on Your Behalf

If you hire a marketing agency, use an affiliate network, or contract any third party to handle your email marketing, you are legally responsible for their compliance. Make sure your contracts require CAN-SPAM compliance, and audit your partners' practices periodically.

Transactional vs. Commercial Email Classification

CAN-SPAM draws a line between "commercial" email (promotional) and "transactional or relationship" email (functional). Transactional emails are exempt from most CAN-SPAM requirements, though they still cannot contain false or misleading routing information.

An email is considered transactional if its primary purpose is to:

• Complete or confirm a transaction the recipient already agreed to
• Deliver warranty, safety, or recall information about a purchased product
• Notify the recipient about a change in terms, features, or account standing
• Provide information about an ongoing subscription or membership
• Deliver employment-related information to a current employee

The key word is "primary purpose." If a transactional email includes promotional content, the overall message may be reclassified as commercial. A shipping confirmation that includes a "20% off your next order" banner could push the email into commercial territory, triggering all seven CAN-SPAM requirements.

Gmail and Yahoo Sender Requirements (2024+)

Starting in February 2024, Google and Yahoo implemented additional requirements for bulk email senders (those sending more than 5,000 messages per day to their users). These requirements layer on top of CAN-SPAM and are enforced through deliverability: non-compliant senders see their emails rejected or sent to spam.

The key additions:

• Email authentication is mandatory. You must have valid SPF, DKIM, and DMARC records configured for your sending domain. CAN-SPAM doesn't require authentication, but Gmail and Yahoo now do.
• One-click unsubscribe. Bulk senders must support RFC 8058 one-click unsubscribe via the List-Unsubscribe-Post header. This goes beyond CAN-SPAM's "clear opt-out mechanism" by requiring a specific technical implementation.
• Process unsubscribes within 48 hours. Tighter than CAN-SPAM's 10-business-day deadline.
• Keep spam complaint rates below 0.3%. Google monitors complaint rates through Postmaster Tools and throttles or blocks senders who exceed this threshold.

These aren't laws, but they function like regulations because non-compliance results in your emails being blocked from reaching billions of Gmail and Yahoo inboxes. Treat them as mandatory additions to your CAN-SPAM checklist.

Common CAN-SPAM Violations Marketers Miss

Slow opt-out processing. The law allows 10 business days, but many ESPs process unsubscribes instantly. Problems arise when brands use multiple sending systems (main ESP, transactional email service, sales outreach tool) and the opt-out doesn't propagate to all of them. A subscriber who unsubscribes from your marketing ESP but continues receiving messages from your sales team's outreach tool is a violation.

Missing physical address. Startups and remote-first companies sometimes omit this requirement because they don't have a traditional office. The law accepts a PO Box or registered mailbox. There's no exception for fully remote businesses.

Affiliate and partner emails. If an affiliate promotes your product via email and violates CAN-SPAM, you can be held liable too. Review your affiliate agreements and audit their email practices.

Pre-checked subscription boxes. While CAN-SPAM doesn't prohibit pre-checked opt-in boxes (unlike GDPR), using them increases the likelihood of sending to people who didn't intentionally subscribe. This leads to higher complaint rates, which damages your sender reputation and can trigger the Gmail/Yahoo complaint rate threshold.

Sending to purchased or rented lists. CAN-SPAM doesn't explicitly ban purchased lists, but sending to people who've never heard of you results in high complaint and bounce rates. These consequences damage your deliverability and can trigger investigations if recipients report your messages as spam in bulk.

How Email Verification Supports CAN-SPAM Compliance

Email verification doesn't directly fulfill any CAN-SPAM requirement, but it supports compliance in several indirect and practical ways:

Lower complaint rates. Sending to real, active addresses produces lower complaint rates. When you send to unverified lists that contain abandoned or recycled addresses, the new owners of those addresses are more likely to mark your email as spam. Verification removes these risky addresses before they generate complaints. Use bulk verification to clean your list before every major campaign.

Fewer bounces that look like spam. High bounce rates signal to inbox providers that you're not maintaining your list properly. While CAN-SPAM doesn't mention bounce rates, the Gmail/Yahoo sender requirements effectively penalize high-bounce senders through reduced deliverability. Running your list through verification with a tool like Bulk Email Checker's free tool keeps bounce rates low.

Better opt-out compliance. If you're sending to addresses that don't exist, you can't prove you honored their opt-out rights because they never received the email with the unsubscribe link. Verified addresses ensure your messages (and your opt-out mechanisms) actually reach recipients.

Reduced exposure. Every email you send to an invalid address is a wasted message that could, in edge cases, reach an unintended recipient. Verifying your list with real-time verification at the point of collection reduces the total number of messages sent, which reduces your total compliance exposure.

Frequently Asked Questions

Does CAN-SPAM require opt-in consent before sending marketing email?

No. CAN-SPAM uses an opt-out model. You can send the first commercial email without prior consent, as long as you comply with all seven requirements and honor opt-out requests. This is the fundamental difference from GDPR (which requires opt-in) and CASL in Canada (which also requires consent before sending). Even though opt-in isn't legally required, it's still a best practice for list quality and deliverability.

Does CAN-SPAM apply to B2B email?

Yes. CAN-SPAM applies to all commercial email, whether the recipient is a consumer (B2C) or a business (B2B). There is no B2B exemption. Cold outreach emails to business contacts must comply with all seven requirements, including the opt-out mechanism and physical address.

What's the difference between CAN-SPAM and state privacy laws like CCPA?

CAN-SPAM regulates the content and sending practices of commercial email (headers, subject lines, opt-outs, identification). State privacy laws like CCPA regulate how you collect, store, and use personal data, including email addresses. They address different aspects of email marketing. You need to comply with both. CAN-SPAM governs what you send. CCPA governs the data behind what you send.

Can I be fined even if I didn't know I was violating CAN-SPAM?

Yes. Ignorance of the law is not a defense. The FTC can pursue enforcement actions regardless of whether the violation was intentional. Both the brand and any third-party sender can be held liable. This is why monitoring your marketing partners and agencies is one of the seven explicit requirements.

Do I need to include "Advertisement" in my email subject or body?

No specific wording is required. The law states that the commercial nature of the message must be "clear and conspicuous," but it doesn't mandate the word "advertisement" or any particular label. Most well-designed marketing emails with clear branding, promotional content, and proper sender identification satisfy this requirement without any special label.

Keep Your Email Marketing Compliant

CAN-SPAM compliance is straightforward. Seven requirements, clearly defined by the FTC's compliance guide, applied to every commercial email you send. The law hasn't changed much since 2003, but the Gmail and Yahoo sender requirements added in 2024 raised the bar on authentication, unsubscribe processing, and complaint rates.

Build the checklist into your campaign launch process. Before every send, confirm: headers accurate, subject line honest, physical address present, unsubscribe link visible and working, opt-outs honored across all systems. Verify your list with Bulk Email Checker to keep bounce and complaint rates low. These steps take minutes and protect your business from penalties that can reach millions.