CAN-SPAM Compliant Sending
CAN-SPAM-compliant sending means following the seven rules the US law sets for commercial email: truthful headers, honest subject lines, an ad disclosure, a valid physical postal address, a clear opt-out, opt-outs honoured within 10 business days, and oversight of anyone sending on your behalf. Unlike CASL and GDPR, CAN-SPAM is an opt-out law — you may send unsolicited commercial email, including B2B, as long as you follow the rules. But the honest point is that CAN-SPAM is the legal floor, not the real bar: Gmail and Yahoo's bulk-sender rules are stricter — one-click unsubscribe, faster processing, complaints under 0.1% — and the real risk is deliverability failure, not a fine. MCSNET runs infrastructure built to the stricter operational bar that CAN-SPAM sits below.
Key takeaways
- CAN-SPAM has seven rules: truthful headers, honest subject lines, ad disclosure, a physical postal address, a clear opt-out, opt-outs honoured within 10 business days, and oversight of senders acting for you.
- Unlike CASL and GDPR, CAN-SPAM is opt-out: unsolicited commercial email is permitted — including B2B — if you follow the rules. It is the most permissive of the three.
- CAN-SPAM is the floor, not the bar: Gmail and Yahoo require one-click unsubscribe, faster processing, and complaints under 0.1% — stricter than the law.
- Penalties run up to $53,088 per email and each message is a separate violation — but the bigger 2026 risk is deliverability death, not the FTC.
- Being CAN-SPAM compliant does not make you CASL or GDPR compliant — if you email Canada or the EU, the stricter opt-in rules apply.
CAN-SPAM has a reputation for being easy, and in one sense it is: it is an opt-out law, the most permissive of the major email regimes, and its seven rules are not complicated. But “easy to comply with” hides three traps — that the seven rules are all mandatory and a single miss is a violation, that the penalties are per-email and enormous, and that legal compliance is the floor while Gmail and Yahoo set a bar well above it. This page lays out what CAN-SPAM actually requires, where it differs sharply from CASL and GDPR, and why meeting the law is necessary but nowhere near sufficient for getting your email delivered.
What does CAN-SPAM actually require?
CAN-SPAM sets seven rules that every commercial email to US recipients must satisfy, and missing any one makes the message non-compliant regardless of intent. Don’t use false or misleading header information: your From, To, Reply-To, and routing must accurately identify the sender. Don’t use deceptive subject lines: the subject must reflect the content. Identify the message as an advertisement, clearly and conspicuously. Include a valid physical postal address: a street address, a USPS-registered PO box, or a registered commercial mail receiving agency box. Provide a clear and easy opt-out mechanism in every message. Honour opt-out requests within 10 business days, keeping the mechanism working for at least 30 days after sending. And monitor what others do on your behalf, because hiring an agency or using a sending tool does not transfer the liability away from you. The first two protect against deception, the next three are content requirements, and the last two govern the ongoing relationship. All seven apply together, every time.
Opt-out, not opt-in: how does CAN-SPAM differ?
This is the difference that matters most, especially if you also send across borders. CAN-SPAM is an opt-out law: you may send unsolicited commercial email in the US without prior permission, as long as you follow the seven rules and stop when asked. That is the opposite of Canada’s CASL, which requires consent before you send, and of the EU’s GDPR-plus-ePrivacy regime, which generally requires consent or a qualifying soft opt-in. In practical terms, the US lets you email first and opt people out on request, while Canada and Europe require you to have permission before the first message. This makes CAN-SPAM the most permissive of the three by a wide margin, which is exactly why US outbound sales can run at scale where Canadian or European cold email cannot. But the permissiveness is bounded: opt-out still has to be honoured, identity still has to be truthful, and the address and disclosure are still mandatory. The freedom is in not needing consent, not in skipping the rules.
| CAN-SPAM (US) | CASL (Canada) | GDPR + ePrivacy (EU) | |
|---|---|---|---|
| Model | Opt-out | Opt-in | Opt-in |
| Consent before sending | Not required | Required | Required (or soft opt-in) |
| Unsubscribe | Within 10 business days | Within 10 business days | Immediately / promptly |
| Max penalty | $53,088 per email | $10M per violation | 4% global turnover |
Commercial versus transactional: the primary-purpose test
Not every email is commercial, and the distinction decides which rules apply. The FTC uses a primary-purpose test. A commercial message advertises or promotes a product or service and must meet all seven rules. A transactional or relationship message — one whose primary purpose falls into one of five categories: confirming an agreed transaction, providing warranty, recall, or safety information, notifying about changes to an ongoing relationship’s terms, giving employment or benefits information, or delivering goods or services already paid for — is exempt from most CAN-SPAM rules, though its header information still cannot be false or misleading. The trap is blending the two. A shipping confirmation is transactional; a shipping confirmation whose bottom third is a “recommended products” carousel can flip to commercial under the primary-purpose test, pulling it back into full compliance territory. The FTC has acted on exactly this — fining a company that sent promotional messages dressed up as account information. The safe practice is to keep transactional messages transactional and not smuggle marketing into the one channel that does not require an opt-out.
The opt-out rules, in detail
The opt-out is where most violations actually happen, so the specifics matter. The mechanism must be clear and conspicuous — easy for an ordinary person to find, recognise, and use — and it can be a link, a reply instruction, or a preference menu, as long as it is user-friendly. It must be free: you cannot charge a fee, require the recipient to log in, or demand any information beyond an email address. If you offer a preference centre with categories, you must still include a clearly visible option to stop all marketing — a preference centre without a global “unsubscribe from all” is itself a violation, and the FTC has treated a multi-category centre with no global opt-out and a two-page submit flow as multiple violations in one. Once someone opts out, you must stop emailing them and add them to a permanent suppression list, and you cannot sell or transfer their address to anyone except a vendor helping you comply. The rule that catches automated senders is that re-contacting a prior opt-out is a violation no matter which list the new campaign came from — so suppression has to be global and checked against every upload.
Does CAN-SPAM apply to B2B and cold email?
Yes, with no general exemption — and this catches many sales teams. The FTC is explicit that CAN-SPAM makes no exception for business-to-business email, and it applies to a single one-to-one message, not just bulk sends, so a personalised first-touch from a sales rep is commercial email subject to the rules. This is why US outbound sales operates legally at scale: CAN-SPAM permits cold email without prior consent, so the law regulates how you do it rather than whether you do it. FTC guidance gives some latitude for genuine business-purpose outreach sent to business addresses with accurate identification and an opt-out. What falls outside that latitude is sending to personal addresses that happen to belong to business owners, using deceptive subject lines that imply a prior relationship, and ignoring opt-outs — including treating a “remove me” reply as anything other than an opt-out. The automation-era failure modes are specific: tools that strip the physical address from footers, rotate sending domains until unsubscribe links break, or re-enrol opted-out contacts from a different sending address. Each of those is both a legal violation and a deliverability liability.
Why is CAN-SPAM only the floor?
Because the law is the least demanding standard your email has to clear, and the mailbox providers set a higher one that actually decides whether you reach the inbox. Gmail and Yahoo’s bulk-sender rules — applying to senders of roughly 5,000 or more messages a day — require one-click unsubscribe, processing of unsubscribes within about two days rather than ten business days, authenticated mail with SPF, DKIM, and DMARC, and a spam-complaint rate kept under 0.1%. Every one of those is stricter than CAN-SPAM requires. A sender who does the legal minimum — a working unsubscribe honoured in ten business days, a physical address, truthful headers — can still be filtered to spam or blocked for failing the providers’ operational bar. The honest framing for 2026 is that the real risk is not an FTC action, which is relatively rare, but deliverability death, which is routine for senders who treat the legal floor as the goal. Compliance keeps you legal; meeting the providers’ stricter bar keeps you delivered, and the two are not the same target.
The penalties are per-email
It is worth being precise about the stakes, because the per-email structure is what makes CAN-SPAM dangerous despite its simplicity. The FTC can levy up to $53,088 per individual violating email, adjusted annually for inflation, and crucially each non-compliant message is a separate violation — so a single bulk campaign can multiply into enormous theoretical exposure. The largest CAN-SPAM penalty the FTC has obtained was a $2.95 million settlement with a company that sent commercial emails without opt-out options and physical addresses and ignored opt-out requests; another well-known case settled at $650,000 for opt-out failures. Nobody is fined the full theoretical maximum on a large campaign, but the per-email math gives the FTC a strong hand in settlement, and the violations that draw enforcement are consistently the simple ones — missing physical address, broken or absent unsubscribe, ignored opt-outs. The reassuring part is that these are also the easiest items to get right, which is why disciplined infrastructure and a correct footer remove most of the real-world risk.
The cross-border trap
A CAN-SPAM-compliant campaign is not automatically lawful everywhere it lands, and senders who operate across borders get caught here. CAN-SPAM covers US recipients and is the most permissive regime. The moment your mail reaches Canadians, CASL applies — and CASL is opt-in, the opposite of CAN-SPAM, with penalties up to ten million dollars, so a cold campaign that is perfectly legal in the US can be a CASL violation in Canada. The moment it reaches the EU or UK, GDPR and ePrivacy apply, generally requiring consent or a valid soft opt-in. California’s CCPA and CPRA add their own layer for California residents. The durable approach for cross-border senders is to segment by recipient jurisdiction and apply the right rule to each, and where that is impractical, to comply with the strictest standard the audience touches — usually CASL or GDPR — because meeting a higher opt-in bar also satisfies CAN-SPAM’s lower one. As a Canadian provider, we are especially used to senders who assumed US rules covered their Canadian recipients and found out otherwise.
Your process versus our infrastructure
The honest division is the same as with any sending-compliance question. The content obligations are your process: writing truthful headers and subject lines, including the ad disclosure and a valid physical postal address, designing a clear opt-out, and getting legal advice on your specific situation — none of which a host supplies. What infrastructure provides is the operational backbone that makes compliance reliable and, more importantly, clears the higher deliverability bar: immediate, durable, global suppression so opt-outs are honoured at once and never re-contacted across any list; correct authentication so your headers are truthful in the technical sense providers verify; and the deliverability work that keeps complaint rates under the 0.1% line. In other words, we cannot write your footer or choose your subject line, but we can ensure the suppression, authentication, and reputation that both the law and the mailbox providers depend on are built to the stricter of the two standards — which means meeting CAN-SPAM is a by-product of meeting the bar that actually matters.
How we support compliant sending
With MCSNET, we run the infrastructure to the operational bar that sits above CAN-SPAM, so legal compliance comes along for free. Suppression is immediate, durable, and global across your sending, honoured well inside both the legal 10-business-day window and the providers’ two-day expectation, and checked against every campaign upload so a prior opt-out is never re-contacted. Your mail is authenticated with SPF, DKIM, and DMARC, so headers are truthful in the way mailbox providers verify and your identity is provable. The deliverability work keeps complaint rates under the 0.1% threshold that decides bulk-sender standing. And because we are a Canadian operation fluent in CASL as well as CAN-SPAM, we can help you segment and apply the right rule when your sending crosses borders. The boundary stays clear: your footer, your disclosures, and your legal posture are yours, and we will point you to counsel for them — but the suppression, authentication, and reputation that compliance and deliverability both ride on, we run properly.
# can-spam · the 7 rules vs the real bar · brand.com headers from/to/reply-to truthful · authenticated ok subject reflects content · no fake “re:” disclosure identified as ad where promotional address valid physical postal address in footer opt-out clear · free · no login · one-click honour law: 10 biz days · us: immediate + global vendors you stay liable for senders acting for you real bar gmail/yahoo: 1-click · 2-day · complaints under 0.1%
Why work with us?
Because we treat CAN-SPAM as the floor it is and build to the bar that actually governs your inbox. Plenty of providers will tell you their tool is “CAN-SPAM compliant,” as if meeting the legal minimum were the goal; we are candid that the law is the easy part and Gmail and Yahoo’s requirements are the real test. On our side, suppression is immediate and global, authentication is correct, and complaint rates are managed under the line that bulk-sender standing depends on — which means you clear CAN-SPAM as a side effect of clearing the harder bar. We are also honest about the cross-border trap, and as a Canadian provider we know the opt-in regimes your US-centric assumptions might miss. Your content and legal judgement stay yours; the infrastructure that keeps you both compliant and delivered is what we provide.
Who this is for, and who it is not
It is for senders to US recipients who want their commercial email to clear not just CAN-SPAM’s seven rules but the stricter Gmail and Yahoo bar that actually decides delivery — and for cross-border senders who need help applying CASL or GDPR to the parts of their audience CAN-SPAM does not cover. It is for teams who understand that a working unsubscribe honoured immediately and a clean complaint rate matter more in practice than the legal ten-day window. It is explicitly not a substitute for legal advice on your footer, disclosures, or specific obligations, and it is not a way to make deceptive or consent-violating sending acceptable — no infrastructure does that. CAN-SPAM-compliant sending sits alongside its opt-in counterparts, CASL for Canada and GDPR for Europe, and depends on the same suppression and deliverability discipline throughout. Meet the law, then meet the bar above it, and your US sending is both lawful and delivered — which, in 2026, are two different achievements.