Email Marketing Law for US Recipients and Infrastructure Operators
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003) is the United States federal law governing commercial email. Unlike GDPR — which requires consent before sending — CAN-SPAM is an opt-out regime: you can send commercial email to US recipients without prior consent, provided you comply with specific content and process requirements and honor opt-out requests promptly.
CAN-SPAM distinguishes between commercial email and transactional/relationship messages. This distinction affects compliance requirements significantly.
Commercial email is defined as any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. Marketing newsletters, promotional campaigns, and sales outreach are commercial email. All CAN-SPAM requirements apply.
Transactional messages — order confirmations, account notifications, password resets, and service notifications — are primarily relationship messages rather than commercial ones. They are still subject to the prohibition on deceptive headers and sender identification, but are not required to include a physical address or unsubscribe mechanism if the primary purpose is transactional.
The distinction matters for infrastructure design: transactional and marketing email should be separated into different IP pools (PowerMTA virtual MTA pools) with different sending domains. This separation ensures that marketing IP reputation events don't affect transactional delivery, and that transactional messages are clearly identifiable as such for CAN-SPAM classification purposes.
Cloud Server for Email configures dedicated IP pools for transactional and marketing traffic in all managed Enterprise-tier environments. This separation supports both CAN-SPAM compliance (clear message type identification) and deliverability (reputation isolation).
B2B cold email — unsolicited commercial email sent to business contacts — is permitted under CAN-SPAM without prior consent, subject to all CAN-SPAM requirements. This is a significant difference from GDPR and CASL, which require a legal basis or consent for B2B email.
CAN-SPAM's opt-out requirement applies to B2B cold email equally. If a B2B prospect opts out, they must be removed within 10 business days and cannot be re-mailed. Cold email infrastructure should include robust suppression management — MailWizz maintains global suppression lists that apply across all campaigns.
ISP requirements for B2B cold email are stricter than CAN-SPAM in practice. Gmail's filtering doesn't distinguish between CAN-SPAM-compliant cold email and spam — it applies the same engagement-based filtering regardless of legal compliance. CAN-SPAM compliance is a legal floor, not an inbox placement guarantee. See our cold email infrastructure page for operational B2B outreach guidance.
The Federal Trade Commission (FTC) and state attorneys general enforce CAN-SPAM. The FTC does not have a private right of action — individual recipients cannot sue for CAN-SPAM violations. Internet service providers can bring action against senders. The Department of Justice can bring criminal enforcement.
CAN-SPAM penalties: up to $53,088 per email in violation ($0.05M cap removed in practice for repeated violations). Criminal penalties up to $2M for aggravated violations (unauthorized access, false registration information, operating through open relays).
Google's Bulk Sender Requirements (enforced since February 2024) require one-click unsubscribe via RFC 8058 List-Unsubscribe-Post header for all bulk marketing messages. This is now a practical requirement for Gmail delivery regardless of CAN-SPAM's 10-business-day standard. PowerMTA can inject the RFC 8058 header at the MTA level, ensuring it's present in all outbound messages without requiring template changes.
MailWizz's global suppression list stores unsubscribed email addresses across all lists and campaigns. When a recipient unsubscribes from any campaign, their address is added to the global suppression list and prevented from receiving future campaigns — meeting CAN-SPAM's opt-out honoring requirement. The suppression is immediate (the record is added to the list before the HTTP redirect completes).
CAN-SPAM's prohibition on deceptive From headers is best met through DKIM alignment: the From domain matches the DKIM signing domain, which is visible in email client authentication indicators. Misaligned DKIM also fails DMARC alignment, causing additional delivery problems. Cloud Server for Email configures DKIM alignment for all managed environments as part of the standard authentication setup.
Cloud Server for Email operates managed PowerMTA + MailWizz infrastructure from EU servers.
Dedicated IPs, daily monitoring, GDPR compliance by design.
