CAN-SPAM compliance is the fastest way to protect your email program from FTC fines, ESP suspensions, and a wrecked sender reputation. Most guides still cite outdated penalty figures and skip the operational details that keep marketing teams safe.
This guide covers the seven core requirements, 2026 penalty amounts, real enforcement cases, a step-by-step workflow, and how CAN-SPAM applies across your full email lifecycle.
This article is part of our Email marketing guide.
Quick Summary
- CAN-SPAM is a US federal law (2003) regulating commercial email, enforced by the FTC.
- Max civil penalty in 2026: $53,088 per non-compliant email (FTC inflation adjustment, January 17, 2025).
- Applies to all commercial messages — B2B, ecommerce, foreign senders to US recipients, and nonprofits selling products.
- Seven rules: accurate headers, honest subject lines, ad identification, physical address, opt-out, 10-day opt-out processing, third-party oversight.
- Recent enforcement: Verkada $2.95M (largest CAN-SPAM penalty ever) and Experian $650K.
- Liability cannot be outsourced to your ESP or agency.
What Is CAN-SPAM Compliance?
CAN-SPAM compliance means your commercial emails meet the standards set by the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003. It’s enforced primarily by the FTC, with additional powers held by the DOJ, state attorneys general, and ISPs.
A commercial email is “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” The law applies to:
- B2C and B2B email — there is no business-to-business exception.
- US companies and foreign companies marketing to US recipients.
- Ecommerce, SaaS, agencies, freelancers, and affiliates.
- Nonprofits when sending genuine commercial messages (paid classes, ticketed events, branded merchandise).
Transactional emails — receipts, shipping confirmations, password resets — are mostly exempt, but they still cannot use deceptive headers or misleading subject lines.
The 7 CAN-SPAM Compliance Requirements
Every commercial email must satisfy all seven requirements. Missing any one on any single email creates separate per-email penalty exposure.
- Accurate header information – The “From,” “To,” “Reply-To,” and routing fields must clearly identify the sender. Spoofed domains and fake aliases are illegal.
- Non-deceptive subject lines – Subject lines must accurately reflect the email’s content. “You’ve won!” when the email is a generic promo is a textbook violation.
- Clear identification as an advertisement – Promotional emails must include a clear and conspicuous notice that the message is an ad — usually handled with a recognizable sender name, an offer-focused subject line, or footer language like “You’re receiving this promotional message because you subscribed.”
- Valid physical postal address – Every commercial email must include a real mailing address: a business street address, a registered P.O. Box, or a private mailbox from a Commercial Mail Receiving Agency (CMRA).
- Clear opt-out mechanism – Recipients must unsubscribe in one or two clicks. You cannot charge a fee, require login, demand information beyond an email address, or require an explanation.
- Honor opt-outs within 10 business days – Once a user opts out, you have 10 business days to remove them. The mechanism must remain functional for at least 30 days after sending. Opt-outs must also be honored across all affiliated brands under the same parent company.
- Monitor third-party senders – If an ESP, agency, freelancer, or affiliate sends on your behalf, their violations are your violations. Liability cannot be outsourced — one of the most under-appreciated rules in the act.
Commercial vs. Transactional vs. Relationship Messages
The CAN-SPAM Act recognizes three message categories, and the rules differ for each.
| Message Type | Primary Purpose | CAN-SPAM Rules |
| Commercial | Advertising or promoting a product/service | Full compliance |
| Transactional | Facilitates a transaction (receipts, shipping, password resets) | Mostly exempt |
| Relationship | Existing relationship updates (warranty, security alerts) | Mostly exempt |
| Mixed | Combines commercial + transactional | Primary purpose test |
The Primary Purpose Test
When an email blends commercial and transactional content — like a shipping confirmation that pitches a sale — the FTC looks at the overall impression: tone, structure, layout, and emphasis. If commercial content dominates, the entire email falls under CAN-SPAM rules.
This trap caught Experian in 2023. The company labeled marketing emails as “important account information” to make them look transactional. The FTC disagreed, and Experian paid $650,000 plus a permanent injunction.
CAN-SPAM Penalties in 2026
The maximum civil penalty in 2026 is $53,088 per non-compliant email, set by the FTC’s most recent inflation adjustment. This figure updates annually under the Federal Civil Penalties Inflation Adjustment Act and has climbed every year — from $16,000 in 2016 to $43,280 in 2020, $51,744 in 2024, and $53,088 in 2026.
Half the compliance content on the internet still cites old numbers. Don’t rely on outdated guidance.
Why “per email” matters
The FTC enforces on a per-individual-email basis — not per campaign, not per recipient list. Send 50,000 emails with a broken unsubscribe link and theoretical exposure exceeds $2.6 billion. The per-email math gives the FTC enormous leverage in settlements.
Real enforcement cases
Verkada (2024) paid $2.95 million — the largest CAN-SPAM penalty ever — for excessive sending, no working opt-out, and a missing physical address. Experian Consumer Services (2023) paid $650,000 plus a permanent injunction for using misleading “account information” framing and blocking the opt-out path. Aggravated violations under 18 U.S.C. § 1037 (spoofing, address harvesting, dictionary attacks) carry criminal penalties of up to $6 million in fines and 5 years in prison.
Beyond financial penalties
- ISPs can sue independently and many ESPs will suspend your account on the first complaint — track your spam complaint rate continuously, not just after sends.
- State attorneys general can pursue separate consumer-protection actions.
- Sender reputation damage can take 6–12 months to repair.
- Class-action lawsuits are possible when violations affect groups of consumers.
Common CAN-SPAM Violations to Avoid
Most violations come from a small set of repeated mistakes:
- Misleading subject lines — promising discounts that aren’t in the email.
- Missing or buried unsubscribe links — hidden in image text or unreadable colors.
- Fake “From” data — implying a personal relationship that doesn’t exist.
- Slow opt-out processing — anything beyond 10 business days.
- Missing physical address — common for remote-first companies.
- Cross-brand opt-out failures — unsubscribed from Brand A but still receiving from Brand B.
- Sending to harvested or scraped lists — automatic violation.
Good vs. bad subject lines
- ❌ “You’ve won a free prize!” (when there’s no prize) → ✅ “20% off all fall styles — this week only”
- ❌ “Re: our conversation” (when no conversation occurred) → ✅ “Your weekly newsletter from [Brand]”
Step-by-Step CAN-SPAM Compliance Workflow
Use this seven-step workflow to operationalize compliance across your team.
Step 1 — Audit current email templates. Review every active template for the seven requirements: footer, unsubscribe link, sender info, address.
Step 2 — Implement consent capture. Use double opt-in for marketing lists. Log timestamp, IP, source, and consent text for each subscriber. Email subscription practices that meet US and international rules cover the form-level mechanics in detail.
Step 3 — Set up suppression list automation. Email list management that doesn’t drift out of compliance sits on this foundation — sync unsubscribes across every ESP, CRM, and tool that sends email.
Step 4 — Standardize the email footer. Single source of truth: business name, physical address, unsubscribe link, preference center link.
Step 5 — Vendor and ESP compliance review. Audit every third-party sender quarterly. Get written compliance commitments in your contracts.
Step 6 — Monitor opt-out SLA. Build dashboards that alert when an opt-out is older than 10 business days, and watch your unsubscribe rate for unusual spikes that might signal compliance gaps.
Step 7 — Document everything. Keep an audit trail of consent records, suppression updates, template changes, and vendor reviews. Sender users can cross-reference the Sender platform’s CAN-SPAM and GDPR compliance overview when running this audit.
CAN-SPAM Across the Email Lifecycle
CAN-SPAM doesn’t apply equally to every message you send. Here’s how it plays out across common automation flows.
| Lifecycle Flow | Primary Purpose | CAN-SPAM Treatment |
| Welcome series | Mixed (often commercial) | Full compliance |
| Promotional broadcasts | Commercial | Full compliance |
| Abandoned cart | Commercial | Full compliance |
| Re-engagement / win-back | Commercial | Full compliance + extra care |
| Order confirmation | Transactional | Exempt |
| Shipping update | Transactional | Exempt |
| Password reset | Transactional | Exempt |
| Newsletter | Commercial | Full compliance |
| Cold B2B outreach | Commercial | Full compliance — no exception |
A few tactical reminders:
- Behavioral triggers (cart, browse, post-purchase upsell) are commercial and need full footer compliance even if they feel “transactional.”
- Re-engagement flows are the highest-risk category — tighten suppression and respect opt-outs aggressively.
- B2B cold outreach is fully covered. The “we’re B2B” excuse is not a thing under US law.
Sender Reputation: The Compliance Connection
CAN-SPAM compliance and email deliverability are deeply linked. The FTC fine is the worst-case outcome — but long before that, broken compliance practices destroy your sender reputation and silently push your emails into spam folders.
High deliverability built on compliance defaults is the cleanest version of this — when the platform handles unsubscribes, footers, and authentication automatically, deliverability follows.
Pair compliance with these deliverability fundamentals:
- Authenticate your domain with SPF, DKIM, DMARC, and BIMI.
- Avoid spam-trigger formatting — ALL CAPS, “FREE!!!”, excessive exclamation, hidden text.
- Warm up new sending domains gradually rather than blasting from day one.
- Maintain list hygiene — track bounce rate, monitor engagement, suppress inactive subscribers.
- Run regular spam tests before major sends.
CAN-SPAM vs. Other Email Laws
If you market internationally, CAN-SPAM is just one of several regimes you must satisfy.
| Law | Region | Consent Model | Max Penalty |
| CAN-SPAM | United States | Opt-out | $53,088 per email |
| GDPR / ePrivacy | EU/EEA | Opt-in | €20M or 4% global revenue |
| CASL | Canada | Express opt-in | CA$10M per violation (org) |
| PECR | United Kingdom | Opt-in | £500,000 |
| Spam Act | Australia | Opt-in | A$313,000+ per day at scale |
The general rule: when sending across borders, comply with the strictest law that applies. For US marketers also sending into Canada, CASL compliance for marketing into Canada has stricter consent requirements than CAN-SPAM — meet CASL and you’re well ahead of CAN-SPAM by default.
Special Cases & Edge Scenarios
- Affiliate marketers — both the affiliate and the promoted brand are liable. Build compliance requirements into affiliate contracts.
- Multi-brand companies — opt-outs must be honored across every brand at the parent-company level.
- Sexually explicit content — must include a “SEXUALLY-EXPLICIT:” label in the subject line and cannot be sent to anyone who has opted out.
- Forwarded emails with incentives — if you reward forwarding (refer-a-friend), you become liable for compliance on the forwarded message.
CAN-SPAM Compliance FAQ
What is the maximum CAN-SPAM fine in 2026? $53,088 per non-compliant email, set by the FTC’s January 2025 inflation adjustment.
Does CAN-SPAM apply to B2B emails? Yes. The law makes no exception for B2B. Cold outreach to business email addresses must include all seven compliance elements.
How long do I have to honor an opt-out? 10 business days from receipt. The unsubscribe mechanism must remain functional for at least 30 days after the email was sent.
Does CAN-SPAM cover SMS or text messages? No. Text messages are governed by the TCPA. Apply CAN-SPAM-style discipline to SMS as a best practice.
Are nonprofits exempt? Mostly, but not when sending genuine commercial messages — like ticketed events, paid classes, or branded merchandise.
Does CAN-SPAM require opt-in consent? No. CAN-SPAM is opt-out. However, opt-in is a best practice and is required by GDPR, CASL, and PECR.
Can I be liable if my ESP or agency violates CAN-SPAM? Yes. Liability cannot be outsourced.
Stay Compliant — and Stay in the Inbox
CAN-SPAM compliance isn’t a one-time checklist — it’s an operational discipline that touches every email you send and every vendor you work with. Once your foundation is in place (consent capture, suppression sync, footer standards, vendor agreements, opt-out monitoring), staying compliant becomes nearly automatic.
The best email marketing platforms make compliance the default — handling unsubscribe processing, suppression syncing, and footer requirements out of the box.
Audit your templates this week. Verify your unsubscribe path works. Make sure your physical address is in every commercial email. The cost of doing this is hours. The cost of not doing it can be measured in millions. And once compliance is solved, it stops being a tax on the broader email marketing program compliance protects — it becomes the foundation that lets you ship faster.