What are the main requirements of CAN-SPAM?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
CAN-SPAM is the US law governing commercial email. It follows an opt-out model, which means you can send without prior consent. But you have to meet these requirements every time.
Accurate header information. Your From name, sending address, and routing information must honestly identify who's sending. Spoofed or misleading headers violate the law, and they're also a fast path to blocklists.
Non-deceptive subject lines. The subject has to match the content. "Your order has shipped" for a promotional email with no actual order is a violation. This sounds obvious until you see how often promotional emails dress up as transactional ones.
Advertisement identification. Commercial emails need to be identifiable as advertising, though the law gives you flexibility in how you do that. No specific language is mandated.
Valid physical postal address. Every commercial email needs a real postal address. Street address, PO Box registered with USPS, or a private mailbox at a commercial mail facility. Virtual addresses that receive mail qualify. Fake ones don't.
Clear unsubscribe mechanism. Easy to find and use. No fees, no login required, no more than one step. The link must stay functional for at least 30 days after sending.
Honor opt-out requests within 10 business days. Once someone unsubscribes, you have 10 business days to stop sending. You can't add them back to a different list or sell their address.
You can verify your sending setup is clean using the free Email Header Analyzer. For anything that looks like an unsubscribe compliance issue, the SOS call is the better fit.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.