CAN-SPAM Act Overview
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act) was signed into law in 2003 and remains the primary federal law governing commercial email in the United States. It is enforced by the Federal Trade Commission (FTC) and applies to any email whose primary purpose is commercial — promotional campaigns, sales offers, newsletters — regardless of which ESP you use.
CAN-SPAM applies to you if you're sending commercial email to U.S. recipients. This is true whether you're using Klaviyo, Mailchimp, SendGrid, Constant Contact, ActiveCampaign, a self-hosted solution, or any other sending infrastructure. The law governs sender behavior, not platform behavior.
Violations carry penalties of up to $51,744 per email — not per campaign. A single campaign with 10,000 recipients in violation could theoretically trigger hundreds of millions in fines. While enforcement at that scale is rare, the FTC has pursued cases resulting in multi-million dollar settlements, particularly against senders who systematically ignored unsubscribe requests.
More practically: the behaviors that violate CAN-SPAM are the same behaviors that destroy inbox placement. Understanding CAN-SPAM is foundational to understanding deliverability.
The 7 Core Requirements
CAN-SPAM imposes seven specific requirements on every commercial email. Each one has a legal basis — and each one also has a direct deliverability rationale.
1. No Deceptive From Lines
Your sender name and email address must accurately identify who is actually sending the email. Sending as "Customer Service" from a domain you don't own, using a From address that misrepresents the sending organization, or forging headers all violate this requirement.
Deliverability angle: Gmail's spam filters are trained on header analysis. Mismatches between the From domain and the domain in your DKIM signature, or From addresses that don't align with your DMARC policy, trigger filtering. Accurate From lines are also required for DMARC alignment — see DMARC Monitoring.
2. No Misleading Subject Lines
Subject lines must reflect the actual content of the email. A subject line that says "Your order has shipped" for a promotional email, or "Re: our conversation" for a cold email to someone you've never contacted, violates CAN-SPAM.
Deliverability angle: misleading subject lines produce higher open rates followed by higher spam complaints when recipients feel deceived. The complaint spike damages your sender reputation far more than a lower open rate from an honest subject would.
3. Identify the Email as an Advertisement
Commercial emails must be clearly identified as advertising — unless the recipient has given prior express consent to receive marketing email from you. In practice, if you're sending to an opted-in marketing list, this requirement is satisfied by the context. For cold outreach without prior consent, the advertisement identification is required.
4. Include a Physical Mailing Address
Every commercial email must include a valid physical mailing address for the sending organization. A P.O. Box registered with the U.S. Postal Service is acceptable. A private mailbox through a commercial mail receiving agency (like a UPS Store box) is also acceptable. The address must be in the email body — typically in the footer.
Common oversight across all ESPs
Forgetting the physical address in your email footer template is one of the most common CAN-SPAM violations. Check your base template in whatever ESP you're using and confirm a valid physical address appears in the footer of every send. A P.O. Box works if you don't want to publish a home or office address.
5. Clear, Conspicuous Unsubscribe Mechanism
Every commercial email must include a clear and conspicuous way for recipients to opt out of future messages. The unsubscribe mechanism must be clearly identifiable — not hidden in 8px grey text, not buried in the middle of a paragraph. Most ESPs insert a standard unsubscribe link automatically, but you are responsible for ensuring it appears in every send.
6. Honor Unsubscribes Within 10 Business Days
Once someone opts out, you have 10 business days to stop sending them commercial email. You cannot require subscribers to register or log in to unsubscribe. You cannot charge a fee for unsubscribing. The unsubscribe mechanism must remain functional for at least 30 days after sending.
Most major ESPs process unsubscribes instantly or within hours and suppress the contact automatically. Gmail and Yahoo's 2024 requirements reduce this to 2 days for bulk senders (see below). Regardless of what your ESP handles automatically, the legal maximum under CAN-SPAM is 10 business days.
7. Third-Party Compliance
If you hire another company to handle your email marketing, both you and that company are legally responsible for CAN-SPAM compliance. You cannot outsource your legal liability. If your ESP, agency, or vendor sends non-compliant email on your behalf, you are also liable.
What CAN-SPAM Does NOT Require
CAN-SPAM is notably weaker than other email marketing laws in one critical area: it does not require prior opt-in consent before sending commercial email. CAN-SPAM is an opt-out law, not an opt-in law. You can legally send commercial email to people who have not subscribed to your list, as long as you honor unsubscribes.
This stands in stark contrast to GDPR (which requires explicit prior consent for EU residents) and CASL (which requires prior consent for Canadian recipients). Many senders assume that CAN-SPAM compliance means they can freely cold-email purchased lists or scraped addresses as long as there's an unsubscribe link. Legally, that may be true under CAN-SPAM — but it's a deliverability disaster.
Purchased and scraped lists produce terrible engagement: low open rates, high complaint rates, and high bounce rates. Gmail and Yahoo measure these engagement signals independently of any legal framework. A complaint rate above 0.10% triggers Gmail's enforcement regardless of CAN-SPAM compliance. A complaint rate above 0.30% can result in Gmail blocking your domain entirely.
CAN-SPAM compliance is the legal floor. Deliverability best practices require going significantly further — specifically, building consent-based lists through explicit opt-in.
Deliverability Consequences of CAN-SPAM Violations
The behaviors that violate CAN-SPAM are the same behaviors that ISPs' spam filters are trained to detect — because spammers have been doing these things for decades. Gmail, Yahoo, and Outlook's machine learning models have learned to associate these patterns with low-quality, unwanted email.
Hidden or Missing Unsubscribe Links
When subscribers want to stop receiving your email but can't find the unsubscribe link, they take the path of least resistance: clicking "Report Spam." Every spam report is a direct complaint against your sending domain. Gmail records these complaints in Google Postmaster Tools (monitor yours here). Once your complaint rate crosses 0.10%, Gmail begins filtering your mail to spam. At 0.30%, Gmail may block delivery entirely.
A visible, easy unsubscribe link is not just a legal requirement — it is your release valve for frustrated subscribers. Every subscriber who uses the unsubscribe link instead of the spam button is protecting your deliverability.
Deceptive Subject Lines
Subject lines that generate opens through deception create a pattern that ISPs measure: high open rate + high subsequent complaint rate + low engagement with content. This combination signals bait-and-switch behavior and trains Gmail's filters to route your mail to spam.
Forged or Misaligned Headers
Deceptive From lines typically create DMARC alignment failures — where the From domain in the visible header doesn't match the domain used in the DKIM signature or the Return-Path. DMARC failures are a strong spam signal. Monitor your DMARC alignment at DMARC Monitoring.
No Physical Address
Missing footer elements are one of the classic indicators that spam filters look for. A well-formatted footer with a physical address, unsubscribe link, and privacy policy link signals a legitimate sender. Missing these elements contributes to a lower sender reputation score in content-based spam filter analysis.
Track your complaint rate continuously
InboxEagle monitors your Gmail complaint rate via Google Postmaster Tools and your Yahoo complaint rate via the Yahoo Sender Hub — alerting you when rates trend toward Gmail's 0.10% threshold.
One-Click Unsubscribe: Gmail's 2024 Extension
In 2024, Gmail and Yahoo extended their bulk sender requirements to go beyond what CAN-SPAM mandates. Starting February 2024, senders sending 5,000 or more emails per day to Gmail addresses must comply with the following:
- One-click unsubscribe — per RFC 8058, using the
List-Unsubscribe-Postheader in addition to the standardList-Unsubscribeheader - Process unsubscribes within 2 days — significantly stricter than CAN-SPAM's 10 business days
- Email authentication — SPF, DKIM, and DMARC must all be properly configured
The one-click unsubscribe requirement means that when a Gmail subscriber clicks "Unsubscribe" in the Gmail interface (the link that appears next to the From name at the top of the email), the unsubscribe must be processed automatically via a POST request to your List-Unsubscribe URL — no confirmation page, no form, no email sent to the subscriber.
Most major ESPs implement RFC 8058 headers automatically. To verify your implementation: send a test email to a Gmail address and check whether the "Unsubscribe" link appears next to the sender name in the Gmail interface. If it does, List-Unsubscribe headers are working. For a full verification guide, see One-Click Unsubscribe: Gmail's 2024 Mandate Explained.
CAN-SPAM vs. Gmail's requirement
CAN-SPAM gives you 10 business days to honor an unsubscribe. Gmail now requires 2 days for bulk senders. Gmail's requirement is more stringent — and non-compliance affects inbox placement, not just legal risk. If you're a bulk sender, operate to Gmail's 2-day standard, not CAN-SPAM's 10-day standard.
CAN-SPAM Compliance Checklist for Any ESP
This checklist applies regardless of which ESP you use. Each item is a CAN-SPAM requirement, a Gmail/Yahoo recommendation, or both. Review it before your first send from a new domain and periodically thereafter.
One-Time Account Setup
- ☐ Physical mailing address (or P.O. Box) included in your default email footer template
- ☐ Unsubscribe link included and clearly visible in footer — not hidden, not in tiny grey text
- ☐ SPF record published for your sending domain — SPF Generator
- ☐ DKIM signing configured for your sending domain
- ☐ DMARC policy published at minimum p=none to enable reporting — DMARC Generator
- ☐ List-Unsubscribe headers confirmed present (send test to Gmail, check "Show original")
- ☐ One-click unsubscribe (RFC 8058) verified for bulk sends ≥5,000/day to Gmail
Per-Campaign
- ☐ From name accurately identifies your business or brand — not misleading
- ☐ Subject line accurately reflects email content — no bait-and-switch language
- ☐ Unsubscribe link present and functional in footer
- ☐ Physical address present in footer
- ☐ Not sending to previously unsubscribed contacts
- ☐ Not sending to contacts who have bounced hard previously
Ongoing Monitoring
- ☐ Gmail spam complaint rate monitored weekly — target below 0.05% (Google Postmaster)
- ☐ Yahoo complaint rate monitored weekly (Yahoo Sender Hub)
- ☐ DMARC failures monitored for authentication issues (DMARC Monitoring)
- ☐ Unsubscribes processed within 2 days (for Gmail bulk senders) or 10 business days (legal minimum)
- ☐ Suppression list reviewed and complete — no re-added unsubscribers
Monitor the Signals CAN-SPAM Violations Trigger
InboxEagle monitors complaint rates, DMARC authentication, blacklist status, and inbox placement — giving you real-time visibility into the deliverability signals that CAN-SPAM violations produce.