The Seven CAN-SPAM Requirements
1. Accurate Header Information
- From, To, Reply-To must be accurate
- Domain and routing information must be legitimate
- Sender must be clearly identifiable
2. Non-Deceptive Subject Lines
- Subject must accurately reflect message content
- No misleading statements to induce opening
- No "RE:" or "FWD:" unless actually a reply/forward
3. Identify the Message as an Advertisement
- Disclose if the message is promotional
- Disclosure can be subtle but must exist
- Applies to advertising content specifically
4. Include Physical Address
- Valid postal address required
- Can be street address, PO Box, or registered private mailbox
- Must be a physical location that receives mail
5. Provide Opt-Out Mechanism
- Clear and conspicuous unsubscribe option
- Must work for at least 30 days after sending
- Cannot require fee or personal information beyond email
- Cannot require recipient to visit multiple pages
6. Honor Opt-Outs Promptly
- Process within 10 business days maximum
- Best practice: process immediately
- Cannot transfer/sell unsubscribed addresses
7. Monitor Third Parties
- You are responsible for compliance by anyone sending on your behalf
- Includes agencies, affiliates, partners
- Cannot contract away legal responsibility
Penalties Are Serious
CAN-SPAM violations can cost up to $51,744 per violating email. A single non-compliant campaign to thousands of recipients creates massive liability. Compliance is not optional.
What CAN-SPAM Does Not Require
Prior Consent
Unlike GDPR, CAN-SPAM does not require opt-in consent before sending. You can email people who did not explicitly subscribe. However:
- Mailbox providers may still filter you
- High complaints damage deliverability
- Best practice is still confirmed opt-in
Transactional Email Exemptions
Transactional emails (order confirmations, password resets) are largely exempt from CAN-SPAM requirements—no unsubscribe needed, no advertisement disclosure. But they must still have accurate headers.
Unsubscribe Best Practices
Beyond Minimum Compliance
- One-click unsubscribe: Now required by Gmail/Yahoo
- Instant processing: Do not wait 10 days
- No login required: Easy as possible
- Confirmation: Acknowledge the unsubscribe
Preference Centers
Offer alternatives to full unsubscribe:
- Reduce email frequency
- Select content topics
- Pause temporarily
Physical Address Options
Acceptable Addresses
- Company street address
- Post office box (with registration)
- Private mailbox (PMB) at a commercial mail receiving agency
Remote Workers
If you work from home and do not want to share your address, use a registered business address service or PO Box.
Common Compliance Mistakes
- Missing physical address: Required in every commercial email
- Broken unsubscribe links: Must work for 30 days minimum
- Slow opt-out processing: 10 days is maximum, not target
- Misleading From names: Sender must be identifiable
- Deceptive subjects: Click-bait that misrepresents content
- Third-party violations: You are responsible for affiliates