CAN-SPAM Compliance Guide for Email Senders: Requirements, Penalties, and 2025 List-Unsubscribe Rules

CAN-SPAM compliance is a legal baseline, not an optional best practice. The FTC enforces the Controlling the Assault of Non-Solicited Pornography and Marketing Act with penalties up to $53,088 per violating email — and each email in a non-compliant campaign is a separate violation. For a campaign of 10,000 non-compliant messages, theoretical maximum penalties exceed $500 million, though actual enforcement actions target habitual violators rather than one-time technical oversights.

This guide covers what the CAN-SPAM Act actually requires (with specific attention to the provisions most commonly violated), how it intersects with ISP compliance requirements, and how its requirements differ from GDPR and CASL for senders with international audiences.

Who and What CAN-SPAM Covers

CAN-SPAM applies to "commercial messages" — defined as any electronic mail message with a primary purpose of commercial advertisement or promotion. Three key scope clarifications that catch senders off-guard:

It covers B2B email, not just consumer email. Unlike the common misconception, CAN-SPAM applies to all commercial messages regardless of whether the recipient is a business or individual. A newsletter to SaaS industry professionals promoting your product is subject to CAN-SPAM the same as a consumer promotional email.

It covers all commercial messages, not just bulk campaigns. A single email to one person that primarily promotes a commercial product or service must comply with CAN-SPAM. There's no minimum volume threshold for application of the law.

Transactional email is mostly exempt. Messages whose primary purpose is transactional or relationship-based — order confirmations, shipping notifications, account statements, password resets, purchase receipts — are not subject to most CAN-SPAM requirements. However, if a transactional email contains commercial content that appears before the transactional content, it may be reclassified as a commercial message for compliance purposes.

The Seven CAN-SPAM Requirements

1. Accurate Header Information

The From, To, and Reply-To fields, along with the originating domain and email address, must accurately identify the person or business sending the message. Using a misleading From address or routing email through servers that disguise the origin is prohibited.

Infrastructure implication: Your sending domain must match your actual organization. Using a domain that doesn't belong to you, or that deliberately misleads about the sender's identity, violates this requirement. This is also why DMARC enforcement improves compliance — by requiring authentication alignment, it makes header spoofing technically difficult.

2. Non-Deceptive Subject Lines

Subject lines must accurately reflect the content of the message. "Urgent: Security Alert" for a promotional email, or "Your account has been compromised" as a scare tactic to get opens, are deceptive subject lines that violate CAN-SPAM.

3. Identify the Message as an Advertisement

Commercial messages must clearly and conspicuously disclose that they are advertisements, unless you have prior express consent from recipients to receive commercial emails (i.e., they opted in). In practice, most senders satisfy this through standard footer language ("You are receiving this commercial email because...") or by including "Ad" or "Promotional" in the message.

4. Include a Valid Physical Postal Address

Every commercial email must include your current street address, a USPS-registered P.O. box, or a private mailbox registered with a commercial mail receiving agency. This address must be valid at the time of sending. Using a placeholder or fake address is a violation.

For international organizations, this requirement still applies if sending to US recipients. Use a registered agent's address, a US office, or a US P.O. box if your organization has no US street address.

5. Clear Opt-Out Mechanism

Every commercial email must include a clear and conspicuous explanation of how recipients can opt out of future commercial email. The opt-out mechanism must:

• Be functional for at least 30 days after the message is sent
• Require only an email address to process the request — you cannot require recipients to provide additional information, navigate multiple pages, or explain their reason for unsubscribing
• Be capable of processing requests via reply email OR a single webpage (offering a menu of unsubscribe options is allowed, but there must be an option to stop all commercial messages)

The 2024 Google requirement aligns here: Gmail now requires one-click unsubscribe (RFC 8058) for bulk senders. The List-Unsubscribe-Post header enables one-click processing that simultaneously satisfies Gmail's technical requirement and CAN-SPAM's opt-out mechanism requirement.

6. Honor Opt-Out Requests Within 10 Business Days

After receiving an opt-out request, you have 10 business days to stop sending commercial messages to that address. This applies to requests received via unsubscribe link, reply email, or any other mechanism you provide.

After an opt-out request is processed, you may not sell, rent, or transfer the opted-out address to another party for email marketing purposes. The address must be added to your suppression list and maintained there indefinitely — opt-outs never expire.

The 48-hour requirement is from Gmail/Yahoo, not CAN-SPAM. Google and Yahoo's 2024 bulk sender requirements state that unsubscribe requests must be processed within 2 days — significantly stricter than CAN-SPAM's 10 business days. For bulk senders at major ISPs, the practical standard is 48 hours, not the legal maximum of 10 business days.

7. Third-Party Liability

If you hire an email marketing agency, ESP, or marketing vendor to send commercial email on your behalf, you remain legally responsible for their compliance with CAN-SPAM. The law specifically provides that "a person whose goods or services are advertised or promoted in a commercial electronic mail message" and the sender can both be held liable. You cannot contract away your CAN-SPAM obligations.

CAN-SPAM vs GDPR vs CASL: The Key Differences

For organizations sending to multiple jurisdictions, the critical distinction is that these laws use fundamentally different consent models:

The practical consequence: if you're sending to EU recipients, CAN-SPAM compliance is necessary but not sufficient. GDPR requires that you have a documented legal basis (typically explicit opt-in consent) for sending marketing email to EU recipients. CAN-SPAM's opt-out model doesn't provide a valid legal basis under GDPR.

The 2025 List-Unsubscribe Intersection

Google's February 2024 bulk sender requirements (now fully enforced in 2025) require that all commercial and promotional email to Gmail include:

• A List-Unsubscribe header
• A List-Unsubscribe-Post: List-Unsubscribe=One-Click header (RFC 8058)
• Processing of one-click unsubscribe requests within 2 days

This is separate from the CAN-SPAM unsubscribe link in the message body — both are required for Gmail bulk senders. The headers enable Gmail's native unsubscribe button (visible at the top of the message in Gmail); the body link satisfies the visible opt-out requirement for CAN-SPAM and recipients who don't use Gmail.

The technical implementation: the List-Unsubscribe-Post mechanism receives a POST request to your specified URL when a recipient uses Gmail's native unsubscribe button. Your endpoint must accept this POST request and process the unsubscription within 48 hours. This is a backend endpoint, not a webpage — it needs to be implemented in your application or via your ESP's unsubscribe webhook.

Last updated: April 5, 2026