CAN-SPAM Act:
What Email Marketers Must Know (And Its Deliverability Consequences)

CAN-SPAM Act Overview

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act) was signed into law in 2003 and remains the primary federal law governing commercial email in the United States. It is enforced by the Federal Trade Commission (FTC) and applies to any email whose primary purpose is commercial — promotional campaigns, sales offers, newsletters — regardless of which ESP you use.

CAN-SPAM applies to you if you're sending commercial email to U.S. recipients. This is true whether you're using Klaviyo, Mailchimp, SendGrid, Constant Contact, ActiveCampaign, a self-hosted solution, or any other sending infrastructure. The law governs sender behavior, not platform behavior.

CAN-SPAM includes substantial civil penalties that are adjusted over time by regulators. Exact amounts and enforcement posture can change, so verify current figures directly in official FTC guidance before relying on any single number.

More practically: the behaviors that violate CAN-SPAM are the same behaviors that destroy inbox placement. Understanding CAN-SPAM is foundational to understanding deliverability.

The 7 Core Requirements

CAN-SPAM imposes seven specific requirements on every commercial email. Each one has a legal basis — and each one also has a direct deliverability rationale.

1. No Deceptive From Lines

Your sender name and email address must accurately identify who is actually sending the email. Sending as "Customer Service" from a domain you don't own, using a From address that misrepresents the sending organization, or forging headers all violate this requirement.

Deliverability angle: Gmail's spam filters are trained on header analysis. Mismatches between the From domain and the domain in your DKIM signature, or From addresses that don't align with your DMARC policy, trigger filtering. Accurate From lines are also required for DMARC alignment — see DMARC Monitoring.

2. No Misleading Subject Lines

Subject lines must reflect the actual content of the email. A subject line that says "Your order has shipped" for a promotional email, or "Re: our conversation" for a cold email to someone you've never contacted, violates CAN-SPAM.

Deliverability angle: misleading subject lines produce higher open rates followed by higher spam complaints when recipients feel deceived. The complaint spike damages your sender reputation far more than a lower open rate from an honest subject would.

3. Identify the Email as an Advertisement

Commercial emails must be clearly identified as advertising — unless the recipient has given prior express consent to receive marketing email from you. In practice, if you're sending to an opted-in marketing list, this requirement is satisfied by the context. For cold outreach without prior consent, the advertisement identification is required.

4. Include a Physical Mailing Address

Every commercial email must include a valid physical mailing address for the sending organization. A P.O. Box registered with the U.S. Postal Service is acceptable. A private mailbox through a commercial mail receiving agency (like a UPS Store box) is also acceptable. The address must be in the email body — typically in the footer.

5. Clear, Conspicuous Unsubscribe Mechanism

Every commercial email must include a clear and conspicuous way for recipients to opt out of future messages. The unsubscribe mechanism must be clearly identifiable — not hidden in 8px grey text, not buried in the middle of a paragraph. Most ESPs insert a standard unsubscribe link automatically, but you are responsible for ensuring it appears in every send.

6. Honor Unsubscribes Within 10 Business Days

Once someone opts out, you have 10 business days to stop sending them commercial email. You cannot require subscribers to register or log in to unsubscribe. You cannot charge a fee for unsubscribing. The unsubscribe mechanism must remain functional for at least 30 days after sending.

Most major ESPs process unsubscribes instantly or within hours and suppress the contact automatically. Gmail and Yahoo's 2024 requirements reduce this to 2 days for bulk senders (see below). Regardless of what your ESP handles automatically, the legal maximum under CAN-SPAM is 10 business days.

7. Third-Party Compliance

If you hire another company to handle your email marketing, both you and that company are legally responsible for CAN-SPAM compliance. You cannot outsource your legal liability. If your ESP, agency, or vendor sends non-compliant email on your behalf, you are also liable.

Commercial vs. Transactional Email Under CAN-SPAM

CAN-SPAM distinguishes between commercial email (whose primary purpose is commercial) and transactional/relationship email (whose primary purpose is facilitating a transaction already agreed to).

Transactional emails — order confirmations, password resets, shipping notifications, invoice delivery — are exempt from most CAN-SPAM requirements. You don't need to include an unsubscribe link, you don't need to identify the email as advertising, and the footer requirements are relaxed. However, transactional emails must still be non-deceptive and factually accurate.

The key distinction is the "primarily commercial" test. The FTC examines the email as a whole and asks: what would the recipient primarily understand the purpose of this email to be? If the recipient would primarily see it as promotional, then it's commercial under CAN-SPAM regardless of what you label it.

The Edge Case: Upsells in Transactional Emails

Many senders add promotional blocks to order confirmations — a promo code offer, a "Complete Your Set" recommendation, or a discount on future purchases. When does this make the email commercial?

The FTC guidance is nuanced: if the promotional block is clearly secondary to the transactional content and wouldn't appear alone, the email remains transactional. But if the promotional content is dominant in volume, visual prominence, or messaging — or if the email would primarily function as a promotional message with a transaction detail tacked on — then the entire email is commercial.

A safer approach: keep transactional email templates pure. Use a separate triggered promotional flow for upsells. Don't embed aggressive promotional content in transactional templates. This eliminates the ambiguity and ensures compliance.

B2B Email Under CAN-SPAM

CAN-SPAM applies equally to B2B and B2C commercial email. There is no B2B exemption under CAN-SPAM. Emails sent to business email addresses (@company.com) are still subject to all 7 requirements.

B2B emails to business email addresses must include an unsubscribe mechanism, a physical address, an accurate From line, a non-misleading subject line — the full seven requirements. The fact that the recipient is a business contact does not change the sender's legal obligations.

B2B and GDPR's Legitimate Interest

The key B2B distinction is not under CAN-SPAM, but under GDPR. GDPR allows processing based on a "legitimate interest" for B2B contacts in some jurisdictions — meaning you can market to a business decision-maker's email address without prior consent if there's a legitimate business purpose. CAN-SPAM has no such carve-out. CAN-SPAM is an opt-out law regardless of whether the recipient is a business or consumer.

CAN-SPAM Preemption and State Law

CAN-SPAM is a federal floor that preempts state laws specifically regulating spam. However, CAN-SPAM does not preempt state laws of general applicability — such as state consumer protection statutes or anti-fraud laws. Several states have layered requirements on top of CAN-SPAM:

• Colorado: no additional specific spam law, but general consumer protection statutes apply
• California: CCPA creates privacy rights for California consumers' personal data, which overlaps with email list management
• Virginia: VCDPA creates similar privacy rights

A CAN-SPAM-compliant B2B email is not automatically compliant with state privacy laws if the recipient is a California resident.

Third-Party Liability Under CAN-SPAM

An important B2B edge case: an employee at a company sending business email on the company's behalf. Under CAN-SPAM's third-party compliance requirement (Requirement 7), both the employee and the company are liable. If the employee sends CAN-SPAM-violating email, the company that employed them is also liable.

AI-Generated Email Content and CAN-SPAM

CAN-SPAM's requirements are content-based and sender-behavior-based — they apply regardless of how the email content was generated. If an AI tool generates the subject line, the From name, or the body copy, CAN-SPAM still applies in full.

AI-Generated Subject Lines

AI-generated subject lines must still satisfy CAN-SPAM Requirement 2: the subject line must not be misleading and must reflect the actual content. A large language model that generates a subject line that doesn't match the email body violates CAN-SPAM just as much as a human writing a deceptive subject line.

AI-Generated From Names

AI tools sometimes personalize the From name dynamically (e.g., "Sarah's AI Assistant" instead of your company name). This must still accurately identify the sender under CAN-SPAM Requirement 1. If the recipient would be misled about who is actually sending the email, it's a violation.

AI Tools and Suppression List Management

One emerging source of CAN-SPAM violations: AI marketing tools that automatically re-send to unsubscribed contacts due to a model error or data hallucination. If your ESP or AI marketing tool is supposed to check your suppression list before send, and it fails to do so, you create a CAN-SPAM violation. The company deploying the AI tool is liable.

The FTC has issued guidance (2023-2024) that AI tools used for commercial communications are subject to existing consumer protection laws including CAN-SPAM. The AI tool vendor shares liability with you, but you remain responsible for the compliance of email sent under your domain.

What CAN-SPAM Does NOT Require

CAN-SPAM is notably weaker than other email marketing laws in one critical area: it does not require prior opt-in consent before sending commercial email. CAN-SPAM is an opt-out law, not an opt-in law. You can legally send commercial email to people who have not subscribed to your list, as long as you honor unsubscribes.

This stands in stark contrast to GDPR (which requires explicit prior consent for EU residents) and CASL (which requires prior consent for Canadian recipients). Many senders assume that CAN-SPAM compliance means they can freely cold-email purchased lists or scraped addresses as long as there's an unsubscribe link. Legally, that may be true under CAN-SPAM — but it's a deliverability disaster.

Purchased and scraped lists produce poor engagement: low opens, high complaints, and high bounce rates. Gmail and Yahoo evaluate these signals independently of legal frameworks. If complaint rates trend high, inbox placement can degrade quickly even when your campaign appears legally compliant.

CAN-SPAM compliance is the legal floor. Deliverability best practices require going significantly further — specifically, building consent-based lists through explicit opt-in.

Deliverability Consequences of CAN-SPAM Violations

The behaviors that violate CAN-SPAM are the same behaviors that ISPs' spam filters are trained to detect — because spammers have been doing these things for decades. Gmail, Yahoo, and Outlook's machine learning models have learned to associate these patterns with low-quality, unwanted email.

Hidden or Missing Unsubscribe Links

When subscribers want to stop receiving your email but can't find the unsubscribe link, they take the path of least resistance: clicking "Report Spam." Every spam report is a direct complaint against your sending domain. Gmail records these complaints in Google Postmaster Tools (monitor yours here), and sustained high complaint rates can quickly increase spam-folder placement or lead to stricter filtering.

A visible, easy unsubscribe link is not just a legal requirement — it is your release valve for frustrated subscribers. Every subscriber who uses the unsubscribe link instead of the spam button is protecting your deliverability.

Deceptive Subject Lines

Subject lines that generate opens through deception create a pattern that ISPs measure: high open rate + high subsequent complaint rate + low engagement with content. This combination signals bait-and-switch behavior and trains Gmail's filters to route your mail to spam.

Forged or Misaligned Headers

Deceptive From lines typically create DMARC alignment failures — where the From domain in the visible header doesn't match the domain used in the DKIM signature or the Return-Path. DMARC failures are a strong spam signal. Monitor your DMARC alignment at DMARC Monitoring.

No Physical Address

Missing footer elements are one of the classic indicators that spam filters look for. A well-formatted footer with a physical address, unsubscribe link, and privacy policy link signals a legitimate sender. Missing these elements contributes to a lower sender reputation score in content-based spam filter analysis.

One-Click Unsubscribe: Gmail's 2024 Extension

In 2024, Gmail and Yahoo extended their bulk sender requirements to go beyond what CAN-SPAM mandates. Starting February 2024, senders sending 5,000 or more emails per day to Gmail addresses must comply with the following:

• One-click unsubscribe — per RFC 8058, using the List-Unsubscribe-Post header in addition to the standard List-Unsubscribe header
• Process unsubscribes within 2 days — significantly stricter than CAN-SPAM's 10 business days
• Email authentication — SPF, DKIM, and DMARC must all be properly configured

The one-click unsubscribe requirement means that when a Gmail subscriber clicks "Unsubscribe" in the Gmail interface (the link that appears next to the From name at the top of the email), the unsubscribe must be processed automatically via a POST request to your List-Unsubscribe URL — no confirmation page, no form, no email sent to the subscriber.

Most major ESPs implement RFC 8058 headers automatically. To verify your implementation: send a test email to a Gmail address and check whether the "Unsubscribe" link appears next to the sender name in the Gmail interface. If it does, List-Unsubscribe headers are working. For a full verification guide, see One-Click Unsubscribe: Gmail's 2024 Mandate Explained.

CAN-SPAM Compliance Checklist for Any ESP

This checklist applies regardless of which ESP you use. Each item is a CAN-SPAM requirement, a Gmail/Yahoo recommendation, or both. Review it before your first send from a new domain and periodically thereafter.

One-Time Account Setup

• ☐ Physical mailing address (or P.O. Box) included in your default email footer template
• ☐ Unsubscribe link included and clearly visible in footer — not hidden, not in tiny grey text
• ☐ SPF record published for your sending domain — SPF Generator
• ☐ DKIM signing configured for your sending domain
• ☐ DMARC policy published at minimum p=none to enable reporting — DMARC Generator
• ☐ List-Unsubscribe headers confirmed present (send test to Gmail, check "Show original")
• ☐ One-click unsubscribe (RFC 8058) verified for bulk sends ≥5,000/day to Gmail

Per-Campaign

• ☐ From name accurately identifies your business or brand — not misleading
• ☐ Subject line accurately reflects email content — no bait-and-switch language
• ☐ Unsubscribe link present and functional in footer
• ☐ Physical address present in footer
• ☐ Not sending to previously unsubscribed contacts
• ☐ Not sending to contacts who have bounced hard previously

Ongoing Monitoring

• ☐ Gmail spam complaint rate monitored weekly — target below 0.05% (Google Postmaster)
• ☐ Yahoo complaint rate monitored weekly (Yahoo Sender Hub)
• ☐ DMARC failures monitored for authentication issues (DMARC Monitoring)
• ☐ Unsubscribes processed within 2 days (for Gmail bulk senders) or 10 business days (legal minimum)
• ☐ Suppression list reviewed and complete — no re-added unsubscribers
• ☐ AI/automated send tools: verify suppression list integration is active and up-to-date
• ☐ Review AI-generated subject lines before send: confirm no misleading claims