Resources / Compliance
CAN-SPAM Act: what US email law requires
CAN-SPAM is an opt-out law: you may email someone who never asked, as long as the message is honest, names you, carries a physical address, and offers an unsubscribe you honor within 10 business days. There is no B2B exemption, and each non-compliant email is a separate violation.
Last checked: June 21, 2026
The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography And Marketing Act, 15 U.S.C. § 7701 et seq.) is the United States’ federal commercial-email law. It is the most permissive of the major regimes on one point and unforgiving on the rest: it does not require prior consent, but it sets hard rules for honesty, identification, and opt-out, and it treats every offending email as its own violation.
This is general information, not legal advice. Consult US counsel for your situation. The obligations below come from the FTC’s own compliance guide.
The 60-second version
- Opt-out, not opt-in. No prior permission is needed to send commercial email.
- No B2B exemption. “All email” with a commercial primary purpose must comply, including B2B.
- Headers and the subject line must be accurate and non-deceptive.
- You must disclose the message is an ad, include a valid physical postal address, and offer a clear way to opt out.
- Honor an opt-out within 10 business days; keep the mechanism working for at least 30 days.
- Each separate non-compliant email can draw a civil penalty of up to $53,088.
- Using a third-party sender does not shift the liability off you.
Who and what it covers
CAN-SPAM governs commercial messages - email whose primary purpose is the commercial advertisement or promotion of a product or service. The FTC is explicit that there is no exception for business-to-business email: a message to former customers announcing a new product line must comply like any other.
Because the test is “primary purpose,” purely transactional or relationship messages (for example, information about a transaction the recipient already agreed to) are treated differently from advertising. When a message mixes both, its primary purpose controls.
Honesty: headers and subject lines
| Requirement | What it means |
|---|---|
| Accurate routing/header info | The “From,” “To,” “Reply-To,” and routing information must be accurate and identify the person or business that initiated the message. |
| Non-deceptive subject line | The subject line must accurately reflect the content of the message. |
| Identify as an advertisement | You must disclose clearly and conspicuously that the message is an advertisement. |
This is where authentication and compliance meet in practice: accurate, non-forged headers are both a legal requirement and the thing SPF, DKIM, and DMARC exist to make verifiable.
The physical postal address
Every commercial message must include a valid physical postal address. The FTC accepts a current street address, a USPS-registered post office box, or a private mailbox registered with a commercial mail-receiving agency. This is a distinguishing feature of US law - most other regimes require identification and contact details but not specifically a postal address.
The unsubscribe rules
| Rule | Detail |
|---|---|
| Clear opt-out | Include a clear, conspicuous explanation of how to opt out - a reply address or another easy internet-based method. |
| Menu allowed | You may offer a menu to opt out of certain message types, but you must include an option to stop all commercial messages. |
| Honor promptly | Honor an opt-out request within 10 business days. |
| Keep it working | The opt-out mechanism must stay functional for at least 30 days after you send. |
| No barriers | You cannot charge a fee, require any personal information beyond an email address, or make the recipient take more than one step. |
| No reuse | Once someone opts out, you cannot sell or transfer their address (except to a provider you hired to help you comply). |
Consent records (there are none to keep)
Because CAN-SPAM requires no prior consent, it prescribes no consent records. What it does fix on you is responsibility: even when you use a third-party email marketer, you remain legally responsible for compliance. You cannot outsource the liability with the sending.
Penalties
| Item | Detail |
|---|---|
| Per-email civil penalty | Up to $53,088 per violation - each separate non-compliant email is one violation. The figure is inflation-adjusted and was last updated in January 2024. |
| Aggravated violations | Additional penalties for unauthorized computer access to send, false registration of accounts or domains, dictionary attacks, and open-relay abuse. |
| Criminal exposure | Imprisonment is possible for aggravated violations (DOJ). |
| Multiple-party liability | Both the company whose product is promoted and the company that sends the message can be held liable. |
The “per email” structure is what makes CAN-SPAM bite at scale: a single non-compliant campaign is not one violation, it is one per message.
Common confusion
- “Opt-out means I can ignore unsubscribes for a while.” No - you have a hard 10-business-day ceiling, and the mechanism must already be live for 30 days.
- “B2B is exempt.” It is not. There is no business-to-business carve-out in CAN-SPAM.
- “My ESP is responsible.” You are responsible. Using a sender on your behalf does not transfer liability.
- “CAN-SPAM is like GDPR/CASL.” It is the opposite on consent: those require permission first; CAN-SPAM does not.
What Egressif does, and what stays with you
Egressif gives you the mechanics CAN-SPAM measures: authenticated, non-forged headers (SPF/DKIM/DMARC) so your “From” and routing are accurate and identifiable; a working one-click unsubscribe; and suppression on receipt, so an opt-out is enforced immediately instead of drifting toward the 10-business-day limit - with durable records of when each request was honored and the mechanism’s 30-day availability. What stays with you is the content side: making the subject line honest, disclosing the ad, and putting your valid physical postal address in the message. We make those provable; we do not make them true for you.
Related references
- Email marketing laws by country (2026) Anti-spam laws look alike until you sort them by consent. The US (and, for B2B, Turkey) let you mail first and honor opt-outs; Canada, the UK, the EU, and Australia want permission before the first message. This page lines all six up on consent, sender identity, unsubscribe timeframe, who enforces, and the penalties we could verify.
- CASL: Canada's anti-spam law for senders CASL is an express opt-in law with a narrow, time-limited implied-consent exception. Every commercial electronic message must identify you and carry a working unsubscribe honored within 10 business days, and the burden of proving consent is on the sender. Penalties reach CAD $1M for individuals and CAD $10M for businesses per violation.
- UK PECR and UK GDPR for email marketing UK email marketing runs on two laws at once - PECR for the consent rules and UK GDPR for the data underneath. Marketing to individuals is opt-in (with a narrow soft opt-in for existing customers), while corporate bodies can be emailed without prior consent. We describe the ICO's enforcement powers qualitatively because the specific PECR penalty ceiling is not confirmed from a primary source.
- EU email marketing: GDPR and ePrivacy In the EU, marketing email is governed by the ePrivacy Directive (the consent rule) layered over the GDPR (the data rule). ePrivacy Article 13 generally requires prior opt-in for individuals; GDPR supplies the lawful basis, the right to object, and the accountability that turns consent into something you must be able to prove. Because the directive is transposed by each member state, the specifics vary by country.
- Australia's Spam Act 2003 for senders Australia's Spam Act 2003 is an opt-in law built on three rules - consent, identify, unsubscribe. Consent is express or (narrowly) inferred, the burden of proving it sits on the sender, and an unsubscribe must work and be honored within 5 working days. ACMA enforces; we describe its role without a penalty figure because the current amounts were not confirmed from a primary source.
- Turkey's ETK, KVKK and IYS for email Turkey requires prior consent (onay) to send commercial electronic messages to consumers, allows B2B sends to merchants and traders without consent, and routes consent and opt-outs through a central government registry, the IYS. Unsubscribe must be honored within 3 business days. The ETK obligations below come from the official law text; the KVKK data-protection layer is flagged where we could not verify it.
Tell us what you run today.
Domains, rough volume, current providers, and what hurts. You will get a straight answer on fit, and a real number, in one conversation.