How to Comply With CAN-SPAM and Email Regulations

The Seven CAN-SPAM Requirements

1. No False or Misleading Header Information

Your "From," "To," "Reply-To," and routing information must accurately identify the person or business that sent the email. You cannot use someone else's domain or a deceptive sender name. If your business is "Smith Consulting," your from name should reflect that, not impersonate a different company to get opens.

2. No Deceptive Subject Lines

The subject line must accurately reflect the content of the message. "RE: Your Account" on a marketing email is deceptive because it implies the recipient has an existing conversation with you. "Your Invoice" on a promotional email is similarly misleading. Subject lines should set honest expectations about what is inside.

3. Identify the Message as an Advertisement

The law requires disclosure that your message is an advertisement. There is flexibility in how you disclose this, and it does not have to be the first thing in the email, but the content as a whole must make clear that it is a commercial message. A footer line like "You are receiving this email because you subscribed to [Business Name] marketing emails" satisfies this requirement.

4. Include Your Physical Mailing Address

Every commercial email must include your valid physical postal address. This can be your street address, a registered PO Box, or a private mailbox registered with a commercial mail receiving agency. Most businesses include this in the email footer. If you work from home and do not want to share your home address, use a PO Box or virtual office address.

5. Include a Working Unsubscribe Mechanism

Every email must contain a clear, easy way to opt out of future emails. The unsubscribe mechanism must work for at least 30 days after the email is sent. You cannot require the recipient to log in, pay a fee, or provide information other than their email address and opt-out preference to unsubscribe. A simple unsubscribe link at the bottom of the email is the standard approach.

6. Honor Opt-Out Requests Within 10 Business Days

When someone unsubscribes, you must stop sending them commercial email within 10 business days. Best practice is to process unsubscribes immediately, which the AI Apps API suppression system does automatically. You cannot charge a fee for unsubscribing, require the recipient to take additional steps, or sell or transfer the email address to another list after opt-out.

7. Monitor What Others Do on Your Behalf

If you hire another company to send email marketing for you, you are still legally responsible for compliance. This applies to agencies, freelancers, and any third party sending on your behalf. Make sure anyone sending email under your name follows CAN-SPAM requirements.

What CAN-SPAM Does Not Require

CAN-SPAM does not require explicit opt-in consent before sending commercial email. This is a common misconception. The law is opt-out based: you can send to someone who has not explicitly subscribed, as long as you follow all seven requirements and honor opt-out requests. However, sending to people who did not opt in is still a bad practice because it leads to high spam complaints and poor deliverability, even if it is technically legal.

Transactional vs Commercial Email

CAN-SPAM applies primarily to commercial email (messages with the primary purpose of promoting a product, service, or business). Transactional emails like order confirmations, shipping notifications, password resets, and account alerts are largely exempt from CAN-SPAM requirements, though they still cannot contain false header information. If an email's primary purpose is to facilitate an agreed-upon transaction, it is transactional regardless of whether it also contains some promotional content.