CAN-SPAM Act Guidelines: What You Must Know in 2026

The 7 CAN-SPAM act guidelines every sender must follow in 2026, plus penalties, state law traps, and deliverability basics that keep you out of spam folders.

7 min readProspeo Team

CAN-SPAM Act Guidelines: What You Must Know in 2026

$53,088 per email. That's the federal penalty cap for a single CAN-SPAM violation. Most marketers know the law exists - far fewer know the specific rules it requires, where state laws still create exposure, or why legal compliance alone won't keep you out of the spam folder.

What You Need (Quick Version)

CAN-SPAM is an opt-out law. You can send unsolicited commercial email in the US as long as you follow seven rules. Violate them and you face up to $53,088 per email. The largest enforcement fine ever - $2.9M against Verkada - hit a company that skipped unsubscribe links and a physical address. Legal compliance keeps you out of court. Deliverability best practices keep you out of the spam folder. You need both.

What Is the CAN-SPAM Act?

The Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 is the federal law governing commercial email in the United States. Despite the name, it covers all commercial messages - not just bulk sends, and not just B2C. If your email's primary purpose is commercial, the law applies.

Does CAN-SPAM Apply to Your Emails?

It applies if your email promotes a product, service, or content on a commercial website. This includes B2B prospecting, newsletter sponsorships, and promotional drip sequences. The FTC is explicit: "The law makes no exception for business-to-business email." If you're building outbound programs, it helps to align this with your broader cold email marketing approach.

It doesn't apply if the message is purely transactional - order confirmations, shipping updates, account notifications. But even transactional emails can't use false or misleading routing information.

The primary purpose test is where things get tricky. If an email contains both transactional and promotional content, the placement, proportion, and formatting of the commercial content determines which rules apply. A shipping confirmation with a small "you might also like" section is transactional. A promotional blast with an order number buried at the bottom is commercial. Get this wrong and you lose the transactional exemption entirely.

The 7 CAN-SPAM Requirements

Every commercial email you send must satisfy all seven:

Visual checklist of all 7 CAN-SPAM requirements
Visual checklist of all 7 CAN-SPAM requirements

  1. Accurate header information. Your "From," "To," and "Reply-To" fields plus routing information must accurately identify the sender. No spoofed domains, no misleading sender names.

  2. Non-deceptive subject lines. The subject line must reflect the email's content. "Re: Your request" on a cold outreach email is a violation. (If you need safer ideas, start with proven cold email subject line examples.)

  3. Identify the message as an ad. The FTC gives you flexibility on how, but the disclosure must be clear and conspicuous.

  4. Include a valid physical postal address. A street address, USPS-registered PO box, or registered commercial mail receiving agency address all work.

  5. Provide a clear opt-out mechanism. Every email needs an obvious way to unsubscribe. You can offer category preferences, but you must include a "stop all" option. The mechanism must stay functional for at least 30 days after sending.

  6. Honor opt-outs within 10 business days. Once someone unsubscribes, you can't email them again or sell their address to anyone except a compliance vendor.

  7. Monitor what others do on your behalf. If you hire an agency or contractor to send email, you're still liable. Both advertiser and sender face penalties.

Here's what a non-compliant footer looks like versus a compliant one:

Click here to manage preferences.

This is an advertisement from [Company Name]. [Company Name], 123 Main St, Suite 400, Austin, TX 78701. Don't want these emails? [Unsubscribe here].

Most violations we see come down to broken unsubscribe links and missing postal addresses - the simplest items on the checklist.

Prospeo

Broken unsubscribe links and missing addresses get you fined. Bad data gets you blacklisted. Prospeo's 5-step verification and 7-day refresh cycle deliver 98% accurate emails - so you stay compliant and out of spam folders.

Stop risking $53K fines on stale, unverified contact data.

Penalties for Violations

The FTC can pursue penalties of up to $53,088 per individual email. For high-volume senders, the math gets terrifying fast. (If you're trying to reduce risk operationally, start by tracking your email bounce rate.)

Penalty stats and Verkada enforcement case breakdown
Penalty stats and Verkada enforcement case breakdown

The Verkada case is the clearest recent example. In August 2024, the FTC and DOJ hit Verkada with a $2.9M fine - the largest CAN-SPAM penalty ever. The company had sent 30+ million marketing emails across three years without proper opt-out mechanisms, without honoring unsubscribe requests, and without including a valid physical address. Three basic checklist items, ignored at scale.

Aggravated violations create even more exposure. Harvesting email addresses through unauthorized automated methods, for instance, can escalate enforcement action beyond standard fines. If you're sourcing contacts, make sure your web scraping lead generation process stays on the right side of both policy and law.

State Laws Still Bite

CAN-SPAM preempts most state spam laws, but state laws prohibiting falsity or deception in commercial email survive preemption. This is the gap that catches people.

Washington's Commercial Electronic Mail Act (CEMA) is the one to watch. Eight class actions were filed in the six months leading up to late 2025, targeting misleading urgency in subject lines - things like "Sale ends tonight!" followed by the same promotion running the next day. The Washington Supreme Court's Brown v. Old Navy LLC (2025) decision confirmed that CEMA's ban on false or misleading subject-line information applies broadly.

Here's the thing: you can be fully CAN-SPAM compliant and still get sued under state law for a subject line that overpromises. If your marketing team uses urgency-driven copy, make sure the urgency is real. For a full list of state email statutes, see Cornell Law's state-law table.

Common Misconceptions

Myth: Cold email is illegal under CAN-SPAM. It isn't. CAN-SPAM is opt-out, not opt-in. You can send unsolicited commercial email as long as you follow all seven requirements. The consensus on r/coldemail is that most people confuse CAN-SPAM with GDPR - they're fundamentally different consent models. If you're building sequences, use a structured B2B cold email sequence instead of ad-hoc blasts.

Myth: Compliance means your emails reach the inbox. Gmail and Outlook have their own rules, far stricter than federal law. You can be 100% compliant and still get blacklisted if recipients mark you as spam. Legal and deliverable are two different problems.

Myth: Purchased lists are automatically illegal. CAN-SPAM doesn't prohibit purchased lists. But we've seen purchased lists destroy sender reputation faster than almost any other single decision. Stale data, spam traps, and zero recipient relationship is a toxic combination. (If you're weighing the risk, see Is It Illegal to Buy Email Lists?.)

CAN-SPAM vs. GDPR vs. CASL

CAN-SPAM GDPR CASL
Consent model Opt-out Explicit opt-in Opt-in
Max penalty $53,088/email EUR 20M or 4% revenue $10M CAD
Geographic scope Commercial email sent to or from the U.S. EU/EEA data subjects To/from/within Canada
Unsubscribe deadline 10 business days Without delay 10 business days
Side-by-side comparison of CAN-SPAM, GDPR, and CASL
Side-by-side comparison of CAN-SPAM, GDPR, and CASL

If you're sending to prospects in the EU, Canada, or both, default to GDPR standards. Opt-in consent, immediate unsubscribe processing, and documented consent records will keep you compliant everywhere. CAN-SPAM's opt-out model is the most permissive of the three - which is exactly why it's the floor, not the ceiling.

Let's be honest: most outbound teams treat CAN-SPAM compliance as the finish line. It's actually the starting line. The teams that consistently land in inboxes aren't the ones who memorized seven rules - they're the ones who built their sending infrastructure like deliverability was the product. If you want the full system view, start with an email deliverability guide.

How CAN-SPAM Affects Email Deliverability

Legal compliance gets you past the FTC. Deliverability gets you past Gmail. In our experience, the teams that get burned aren't the ones ignoring the rules - they're the ones who think compliance alone protects them.

Two-layer diagram showing compliance vs deliverability requirements
Two-layer diagram showing compliance vs deliverability requirements

Authenticate your domain. SPF, DKIM, and DMARC records aren't legally required, but inbox providers treat unauthenticated email as suspicious. Set these up before you send a single campaign. Google's email sender guidelines spell out the technical requirements clearly. (If you're troubleshooting, use this SPF record example and confirm how to verify DKIM is working.)

Use dedicated sending domains. Don't blast cold email from your primary company domain. One spam complaint wave can tank deliverability for your entire organization - and that damage takes weeks to repair.

Verify your list before every send. Bad addresses cause bounces, bounces trigger spam flags, and spam flags kill your domain. We run every outbound list through Prospeo's verification before campaigns go out - it catches invalid emails at 98% accuracy on a 7-day data refresh cycle, so you're checking against current data rather than records that went stale weeks ago.

Monitor bounce rates and spam complaints. Keep both low, or inbox providers will start throttling you fast. Mailchimp's acceptable use policy is a good benchmark for what ESPs consider healthy sending metrics. If you're actively repairing performance, focus on how to improve sender reputation.

CAN-SPAM tells you what's legal. Your bounce rate tells you what's working.

Prospeo

Purchased lists are CAN-SPAM legal but a deliverability disaster. Prospeo replaces them with 300M+ verified profiles, spam-trap removal, and honeypot filtering - the clean data infrastructure that keeps your sender reputation intact.

Build compliant prospect lists at $0.01 per verified email.

FAQ

Yes. CAN-SPAM is an opt-out law, so you can send unsolicited commercial email as long as you follow all seven requirements - accurate headers, honest subject lines, ad disclosure, physical address, opt-out mechanism, 10-day honor window, and vendor oversight. The bigger risk isn't the FTC; it's inbox providers destroying your sender reputation when recipients flag you.

Does CAN-SPAM apply to B2B emails?

Yes. The FTC explicitly states the law makes no exception for business-to-business email. Every commercial message must include a physical address, working unsubscribe link, and honest routing information regardless of whether you're selling to consumers or other companies.

How do I stay compliant when sending outbound?

Follow the seven requirements, verify your email list before sending, use a dedicated sending domain, and honor opt-outs within 10 business days. Most violations stem from broken unsubscribe links and missing postal addresses - the easiest items to fix. Skip purchased lists if you can; the deliverability damage almost always outweighs the convenience.

What's the difference between CAN-SPAM and GDPR?

CAN-SPAM is opt-out - you can email anyone until they unsubscribe. GDPR requires explicit opt-in consent before sending to EU/EEA residents. GDPR penalties reach EUR 20M or 4% of global revenue, dwarfing CAN-SPAM's $53,088 per-email cap. If you email internationally, default to GDPR's stricter consent standard and you'll be covered under both.

B2B Data Platform

Verified data. Real conversations.Predictable pipeline.

Build targeted lead lists, find verified emails & direct dials, and export to your outreach tools. Self-serve, no contracts.

  • Build targeted lists with 30+ search filters
  • Find verified emails & mobile numbers instantly
  • Export straight to your CRM or outreach tool
  • Free trial — 100 credits/mo, no credit card
Create Free Account100 free credits/mo · No credit card
300M+
Profiles
98%
Email Accuracy
125M+
Mobiles
~$0.01
Per Email