CAN-SPAM Physical Address Requirement (2026): What You Must Include
Paying $15/month for email software is easy. Publishing your address to every stranger on the internet? That's the part that makes people freeze.
Here's the plain-English version of the CAN-SPAM physical address requirement: if you're sending a commercial email, you need a valid physical postal address in the message. The FTC spells out what counts: a street address, a USPS-registered PO Box, or a properly registered CMRA private mailbox.
Look, you don't need clever compliance gymnastics. You need one footer that's always right, and an address option that doesn't put your home on blast.
What you need (quick version)
- ✅ Commercial emails must include a "valid physical postal address." 15 U.S.C. § 7704(a)(5)(A)(iii) requires a "valid physical postal address of the sender" in commercial electronic mail messages.
- ✅ The FTC's rule defines a "valid physical postal address" as one of these formats under 16 CFR § 316.2(p):
- Your current street address
- A USPS-registered PO Box
- A USPS-regulated CMRA private mailbox (a private mailbox at a commercial mail receiving agency)
- ✅ Commercial email also needs a clear opt-out, the opt-out must work for at least 30 days, and you must honor opt-outs within 10 business days.
- ✅ B2B isn't exempt. If it's commercial, it's covered.
Mini decision bullets:
- If you're sending promos, newsletters, cold outreach, or "quick question" emails that are really sales emails - include the address.
- If it's a pure receipt/password reset/account notice - it's transactional/relationship, and under the FTC's primary-purpose framework it's exempt from most CAN-SPAM provisions.
One practical note: once your footer's compliant, deliverability still lives or dies on list quality. We've seen teams do everything "right" legally and still crater inbox placement because they kept mailing bad addresses. Tools like Prospeo help by verifying emails before you send.
Why this requirement exists (and why it feels invasive)
The physical address requirement is a consumer-protection anchor. It makes senders traceable, discourages fly-by-night scams, and gives recipients a real-world way to identify who's behind the message.
And yes, it can feel invasive if you run your business from home.
I've watched a founder friend realize their newsletter footer had their home address in it, then spend an entire Saturday hunting down old automations across three tools because an ancient "welcome" sequence was still sending the old footer to new subscribers. That's the real risk: you fix it once, assume you're done, and a forgotten template keeps leaking it.
If privacy's your concern (it should be), do this:
- Use a PO Box or a CMRA mailbox from day one. Don't "start with home" and fix it later.
- Standardize the footer across every tool. Your ESP, CRM sequences, webinar tool, invoicing tool, and support desk can all send email.
- If you're being harassed: switch to a PO Box/CMRA immediately, update every sending tool, and document the threat (screenshots, dates, URLs). If it escalates, that paper trail matters.
The myth that keeps this problem alive: "PO Boxes don't count." They do. The FTC definition in 16 CFR § 316.2(p) explicitly includes a USPS-registered PO Box as a valid physical postal address.
The legal rule in plain English (with citations you can quote)
CAN-SPAM's address rule is short, blunt, and easy to quote in internal reviews.
The statutory requirement (commercial email) is in 15 U.S.C. § 7704(a)(5)(A)(iii): you can't send a commercial electronic mail message unless it includes "a valid physical postal address of the sender."
Two points the FTC makes clear in its business guidance:
- CAN-SPAM applies to commercial messages, including B2B.
- It's not limited to bulk blasts. One commercial message still has to comply.
What CAN-SPAM doesn't require (this is where people overcomplicate it):
- It doesn't require your home address.
- It doesn't require a physical storefront or an office open to the public.
- It doesn't require the address where your business is incorporated or registered - it requires a valid postal address where you can be reached by mail.
Even if FTC enforcement feels far away, your email service provider won't treat it that way. ESP compliance teams routinely pause accounts for missing footer elements (address + unsubscribe) because it's a policy violation and a trust signal to mailbox providers, and it's a frustratingly avoidable way to lose sending access overnight.
If you need one authoritative page to send to legal or your boss, use the FTC's guide: CAN-SPAM Act compliance guide for business.
Pull-quote you can paste into a policy doc Commercial emails must include "a valid physical postal address of the sender." (15 U.S.C. § 7704(a)(5)(A)(iii)) "Valid physical postal address" includes a street address, a USPS-registered PO Box, or a USPS-regulated CMRA private mailbox. (16 CFR § 316.2(p))
Getting your CAN-SPAM footer right is step one. Step two is making sure you're not sending to dead addresses that tank your deliverability. Prospeo verifies emails at 98% accuracy before you hit send - so your compliant emails actually land.
Stop cratering inbox placement with bad data. Verify first.
What counts as a valid address under CAN-SPAM
The FTC definition in 16 CFR § 316.2(p) gives you three compliant formats. That's it.
| Address type | Counts? | What it is | Why use it | Common mistake |
|---|---|---|---|---|
| Street address | Yes | Current street address | Simple if you have an office | Using an old address |
| USPS PO Box | Yes | USPS-registered PO Box | Privacy + boring compliance | Assuming it "doesn't count" |
| CMRA mailbox | Yes | Private mailbox at a CMRA | Street format + mail handling | Formatting it like a suite |
One strong opinion: if you're home-based, a PO Box or CMRA is the grown-up move. Putting your home address in a footer isn't "transparent," it's unnecessary exposure.
CAN-SPAM physical address requirement: when it applies (commercial vs transactional)
CAN-SPAM doesn't treat every email the same. The key question is whether the email's primary purpose is commercial, using the FTC framework in 16 CFR § 316.3.
Here's a policy rule that actually works in the real world: if an email contains any promotional CTA, treat it as commercial and include address + opt-out. You'll over-comply a bit, and you'll sleep better.
Decision tree (drop this into your SOP):
- Pure transactional/relationship?
Examples: receipt, password reset, shipping update, product security notice, meeting confirmation you requested.
- If yes: primary purpose is transactional/relationship, so it's exempt from most CAN-SPAM provisions under the FTC framework.
- If no: go to 2.
- Pure commercial?
Examples: newsletter promoting services, cold outbound, discount offer, "new feature" promo, webinar invite, upsell campaign.
- If yes: primary purpose is commercial, so include physical address + unsubscribe + other CAN-SPAM requirements.
- If no: go to 3.
- Mixed email (transactional + promo): use subject line + placement These heuristics track how mixed messages get evaluated (anchored to 16 CFR § 316.3 and the Federal Register discussion at 70 FR 3110):
- If the subject line reads promotional, treat it as commercial.
- If the commercial content appears ahead of the transactional/relationship content, treat it as commercial.
- If the transactional/relationship content is clearly the point and appears first, with promo secondary, it's closer to transactional.
We've tested this approach across lifecycle programs, outbound sequences, and "product update" newsletters, and it prevents the classic 11 p.m. audit panic where someone asks, "Wait, does this one need an unsubscribe link?"
Just put the address + opt-out in any template that could ever carry a promo. Done.
Sending "on behalf of" a client (white-label / agencies / platforms)
If you send email for clients - agency newsletters, SaaS platforms sending lifecycle email for customer brands, or "powered by" systems - make the sender identity and address unambiguous.
Use one of these two approaches:
- Client-as-sender: the footer uses the client's business name + the client's valid postal address (street/PO Box/CMRA). This is the cleanest option when recipients should contact the client.
- On-behalf-of clarity: "Sent on behalf of [Client] by [Platform/Agency]" and include the address for the entity responsible for the message (the one handling replies, opt-outs, and complaints).
The goal's simple: the recipient should instantly know who sent the message and where that sender can be reached by mail.
Privacy-safe ways to comply (pick the best option for your situation)
You have three compliant address types, but not all of them are privacy-safe or operationally stable.
| Option | Counts? | Privacy | Setup | Est. monthly | Best for | Gotchas |
|---|---|---|---|---|---|---|
| USPS PO Box | Yes | High | Medium | $5-$50+ | Home-based senders | Key pickup is in-person |
| CMRA mailbox | Yes | High | Medium | $10-$50 | Remote teams | Must use PMB/# formatting |
| Office/coworking | Yes* | Medium | Low | $0-$300+ | Teams with a real office | Mail must reliably reach you |
*It counts only if it's a real street address where you're authorized to receive mail consistently.
Two details people miss:
- If you can't reliably receive mail at the address you publish, you're not "reachable by mail" in any meaningful sense, and that's the whole point of the requirement.
- Moving addresses is where compliance breaks: someone updates the ESP footer, but forgets the CRM sequence, the webinar tool, and the billing system.
USPS PO Box (best default for most home-based senders)
If you want the simplest "I'm compliant and I'm not publishing my home address" solution, get a PO Box.
USPS PO Box terms come in 3-, 6-, and 12-month rentals. Setup's annoyingly analog: you apply, then pick up keys in person and bring two forms of ID. USPS lays it out here: USPS PO Box setup and terms.
Use this if:
- You're a solo sender, creator, or small agency.
- You don't need mail scanning or forwarding.
Skip this if:
- You need a street-address format for vendor onboarding or banking (some systems reject "PO Box").
CMRA / virtual mailbox (street-address format + mail handling)
A CMRA private mailbox counts as a "physical postal address" under 16 CFR § 316.2(p), but it looks like a street address and can include scanning, forwarding, and multiple recipients.
Use this if:
- You want privacy plus operational convenience (scan mail, forward mail, multiple team members).
- You need a street-format address for business workflows.
Skip this if:
- You won't follow the formatting rules. "Suite hacks" are where people accidentally step out of compliance.
Office/coworking address (only with written permission + reliable mail handling)
If you've got a real office lease, this is straightforward. Coworking is trickier: some locations accept mail, some accept packages only, some require add-ons, and some change policies without warning.
Use this if:
- You have a stable office address you control, or a coworking provider that explicitly supports mail receipt for your business.
Skip this if:
- You can't reliably receive mail there. If a recipient (or regulator) mails you and it bounces back, you've turned a checkbox into a liability.
- You're month-to-month and might move. Updating footer addresses across tools is tedious, and teams always miss one automation.
What not to do (fake address, random address, "Suite" hacks)
Don't get cute.
- Don't use a fake address.
- Don't use an address you don't control.
- Don't format a CMRA mailbox as "Suite 123" to make it look like an office suite.
Besides compliance risk, it's a trust killer. Recipients notice when your footer looks shady.
CMRA/virtual mailbox compliance details most guides miss (PMB formatting + registration)
Most "virtual mailbox" posts gloss over the two details that actually matter: registration and formatting.
Checklist (what "registered CMRA mailbox" means in practice):
- ✅ You're renting a private mailbox from a CMRA that operates under USPS regulations.
- ✅ You complete PS Form 1583, which authorizes the CMRA to receive mail for you.
- ✅ Expect identity verification; many providers require notarization as part of the Form 1583 process.
- ✅ You follow USPS addressing standards for how the mailbox appears in the address.
Do / don't for formatting (USPS Publication 28 rules):
- Do include PMB or # plus the mailbox number.
- Don't use any other identifier (including "Suite") for a private mailbox.
- Don't put "PO Box" on the delivery address line for a private mailbox. Only USPS provides PO Boxes.
Examples:
- Correct:
123 Main St PMB 204, Austin, TX 78701 - Correct:
123 Main St #204, Austin, TX 78701 - Wrong:
123 Main St Suite 204, Austin, TX 78701 - Wrong:
123 Main St PO Box 204, Austin, TX 78701
CMRAs aren't some tiny loophole. A USPS OIG audit estimated 1.6M customers across about 12,000 CMRAs, which tells you this is mainstream, regulated infrastructure.
Copy-paste footer templates (newsletter, SaaS, agency, solo creator)
These templates handle the two things people mess up: the address line and the unsubscribe line. Copy/paste, then swap in your details.
Template: Newsletter (PO Box)
You're receiving this because you subscribed to [Brand].
[Brand] - PO Box 12345, City, ST 12345
Unsubscribe: [one-click unsubscribe link]
Keep unsubscribe clear and functional. Don't hide it behind logins.
Template: Newsletter (CMRA / private mailbox)
[Brand]
123 Main St PMB 204, City, ST 12345
Unsubscribe: [one-click unsubscribe link]
Use PMB or #. No "Suite" labels.
Template: SaaS lifecycle promo (real office address)
Sent by [Company], 456 Market St, Suite 800, City, ST 12345
Manage email preferences or unsubscribe: [link]
Use "Suite" only for a real office suite, not a CMRA mailbox.
Template: Agency outbound
[Agency Name] | 789 Broadway, City, ST 12345
Not relevant? Unsubscribe here: [link]
Template: Solo creator cold outreach (PO Box)
[Your Name / Brand] - PO Box 12345, City, ST 12345
Opt out anytime: [link]
After you fix the footer: compliance isn't deliverability (what actually moves inbox placement)
CAN-SPAM compliance matters because penalties are real: the FTC lists $53,088 per violating email, and that's per separate email, so it scales brutally with volume if you ignore the basics.
But fixing your footer rarely fixes your spam problem. Inbox placement moves on authentication, engagement, and (the most controllable lever for most teams) list hygiene, because high bounce rates and spam complaints will wreck your sender reputation even if your footer's perfect.
Practical steps that actually help:
- Verify emails before you send (fewer bounces, fewer complaints).
- Ramp volume like a sane person (don't go from 0 to 5,000/day).
- Keep SPF/DKIM/DMARC clean.
- Remove unengaged recipients regularly.
We've seen the fastest wins come from one boring workflow: verify first, then send. Prospeo is built for exactly that - it's "The B2B data platform built for accuracy," with 98% verified email accuracy and a 7-day refresh cycle, so you're not blasting stale addresses and wondering why your domain reputation's tanking.
We've seen teams nail every CAN-SPAM requirement - address, opt-out, the works - then watch sender reputation collapse because 30% of their list was invalid. Prospeo's 5-step verification catches bad emails at $0.01 each, before they bounce.
Compliance keeps you legal. Clean data keeps you in the inbox.
FAQ
Can I use a PO Box to satisfy CAN-SPAM?
Yes. A USPS-registered PO Box qualifies as a valid physical postal address under 16 CFR § 316.2(p), and commercial emails must include one under 15 U.S.C. § 7704(a)(5)(A)(iii). For most home-based senders, a PO Box is the simplest privacy-safe choice that stays compliant.
Can I use a virtual mailbox/CMRA address - and what must it look like?
Yes, as long as it's a USPS-regulated CMRA private mailbox that's properly registered (PS Form 1583) and formatted correctly. Use "PMB" or "#" plus the mailbox number (example: "123 Main St PMB 204"); don't label it as "Suite."
Do transactional emails need a physical address in the footer?
Pure transactional/relationship emails are exempt from most CAN-SPAM provisions under the FTC's primary-purpose framework (16 CFR § 316.3), so the footer address typically isn't required. If there's any promotional CTA, treat it as commercial and include the address + an opt-out so you don't end up arguing about edge cases later.
Can I use my registered agent address instead of a mailbox?
You can, but only if you're authorized to publish it and it reliably receives mail for you. Many registered agents prohibit using their address in marketing footers, so read the contract. For most small teams, a PO Box or CMRA mailbox is cleaner and more stable.
What's a good free tool to reduce bounces after I'm compliant?
Prospeo's free tier includes 75 email credits plus 100 Chrome extension credits per month, which is enough to verify a small outbound list before you send. Keeping bounces under 5% is a practical target; if you're consistently above that, your list source or verification step needs fixing.
Summary: the simplest way to meet the requirement (without doxxing yourself)
The CAN-SPAM physical address requirement's straightforward: if the email's commercial, include a valid physical postal address (street address, USPS PO Box, or a properly registered CMRA mailbox) plus a working opt-out.
If you're home-based, don't overthink it. Get a PO Box or CMRA, standardize one footer across every sending tool, then focus on what actually protects inbox placement: clean authentication and verified lists.