Almost every US-based email sender thinks they comply with CAN-SPAM because they have an unsubscribe link and a footer with their company name. Both are required, but they cover roughly a third of what the statute actually demands. The other two-thirds is where the FTC writes consent decrees, and the deliverability industry quietly piles on penalties of its own through reputation systems.
CAN-SPAM applies to every commercial message sent from a US sender or to a US recipient. Required: accurate headers, non-deceptive subject lines, clear ad disclosure, a valid postal address, and a working opt-out honored within 10 business days. Maximum statutory penalty per violating email is $50,120 in 2026.
Who CAN-SPAM applies to
The Act covers "commercial electronic mail messages", defined as any email whose primary purpose is the commercial advertisement or promotion of a product or service. Transactional and relationship messages (receipts, account notices, shipping updates) are largely exempt from the content requirements but must still have accurate routing information.
Jurisdictionally, CAN-SPAM is broad. If you send from the US, you are in scope. If you send from anywhere in the world to a US recipient, you are in scope. The FTC has prosecuted senders based outside the US when they targeted American inboxes, and the agency cooperates with foreign enforcement bodies regularly.
A common misunderstanding: B2B email is not exempt. The 2008 final rule confirmed that there is no carve-out for business-to-business commercial messaging. Cold sales emails to corporate addresses are full commercial messages under the Act.
Accurate header information
The From, To, Reply-To and routing information must accurately identify the person or business that initiated the message. Spoofing a domain you don't control, using a misleading display name, or relaying through compromised servers all violate this clause.
In practice this is where ESPs and warm-up tools sometimes get senders into trouble. If your "From" address is info@brand.com but the actual envelope sender is a generic ESP bounce domain with no link back to your brand, you're close to the line. SPF, DKIM and DMARC alignment under the brand domain solves this both for compliance and for inbox placement.
Display name games — using a person's name when no such person exists at the sending company, or impersonating a known executive — are textbook header deception under the Act.
Subject lines that are not deceptive
The subject line must accurately represent the contents of the message. The statute is less about subjective "clickbait" and more about objectively false promises. "Re: your invoice" on a cold sales pitch with no prior thread is the classic example — it implies a relationship that doesn't exist.
Other common violations: "You won" when nothing was won, "Account suspended" on a marketing email, fake quoting markers ("Fwd:" on something that was never forwarded). The FTC has cited each of these in past actions.
Clear identification as an advertisement
Commercial messages must be clearly and conspicuously identified as advertisements. The Act doesn't prescribe specific wording — you do not have to write "ADVERTISEMENT" in the subject — but the recipient should understand from the message itself that it is promotional. Most senders satisfy this implicitly through obvious marketing layout, but a plain-text cold email with no overtly commercial framing is risky if it omits any acknowledgement.
Sexually-oriented commercial mail is the one category where wording is mandated: messages must include the label "SEXUALLY-EXPLICIT:" at the start of the subject line. Almost no legitimate sender ever encounters this clause, but it remains in the regulations.
Valid physical postal address
Every commercial message must include a valid physical postal address for the sender. A PO box registered with the USPS counts. A private mailbox at a commercial mail-receiving agency that complies with USPS rules counts. A pure virtual address with no physical delivery does not.
For startups working remotely, this is a real operational question. Options:
- USPS PO box at any post office.
- A registered agent address (often included with incorporation).
- A commercial mail-receiving agency that complies with USPS Form 1583 procedures.
- A coworking space address if you're an actual member with mail privileges.
Hiding the address in 6pt grey footer text while technically present is, in the FTC's view, not "clear and conspicuous". Standard footer typography is fine.
The opt-out clause and the 10-business-day rule
Every commercial message must contain a clear and conspicuous unsubscribe mechanism. Recipients must be able to opt out using either a reply email or an internet-based mechanism (a link). The opt-out must remain functional for at least 30 days after the message was sent. You may not require the recipient to pay a fee, provide personally identifying information beyond their email address, or take any step beyond visiting one webpage.
Once a request is made, you have 10 business days to stop sending commercial mail to that address. Not 10 calendar days. After the opt-out you cannot transfer the address to another sender, sell it, or use it for any commercial purpose, with one narrow exception: you may share it with parties whose only purpose is to help you comply with the law (typically a suppression-list service).
If you batch your suppressions weekly and a campaign sends 5 days after an opt-out request, you have 8 calendar days left to process the suppression. A monthly suppression sync is almost guaranteed to violate this clause for some recipients.
Penalties and enforcement reality
Under the Federal Civil Penalties Inflation Adjustment Act, the per-violation cap rises annually. As of 2026 it stands at $50,120 per non-compliant email. Each individual recipient counts as a separate violation. A 100,000-recipient blast with a missing physical address is theoretically a $5 billion exposure — in practice settlements are far smaller, but the leverage in negotiation is real.
The FTC itself is the primary enforcer, but state attorneys general and Internet access services may also bring actions. ISPs (think large mailbox providers) have used CAN-SPAM as the basis for civil suits against bulk senders that abused their infrastructure. The legal-risk envelope is wider than "will the FTC notice me".
Operationally, the deliverability cost of non-compliance hits long before any regulator does. Mailbox providers fold the same signals into reputation models — false sender info, deceptive subjects, broken unsubscribes — and you watch your inbox rate collapse weeks before any FTC letter would arrive.
A practical compliance checklist
- From, Reply-To and Return-Path all resolve to domains you control. SPF, DKIM and DMARC pass under those domains.
- Subject line truthfully reflects the body. No fake "Re:" or "Fwd:".
- Body identifies the message as commercial — implicit through context is fine, explicit is safer.
- Footer contains a real, current physical postal address.
- Unsubscribe link works on first click, is one page, requires no login.
- Suppression list updates within 24 hours of an opt-out, well inside 10 business days.
- List-Unsubscribe header (RFC 8058 one-click format) is set on every commercial send.