What are the main requirements of CAN-SPAM?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

CAN-SPAM is the US law governing commercial email. It follows an opt-out model, which means you can send without prior consent. But you have to meet these requirements every time.

Accurate header information. Your From name, sending address, and routing information must honestly identify who's sending. Spoofed or misleading headers violate the law, and they're also a fast path to blocklists.

Non-deceptive subject lines. The subject has to match the content. "Your order has shipped" for a promotional email with no actual order is a violation. This sounds obvious until you see how often promotional emails dress up as transactional ones.

Advertisement identification. Commercial emails need to be identifiable as advertising, though the law gives you flexibility in how you do that. No specific language is mandated.

Valid physical postal address. Every commercial email needs a real postal address. Street address, PO Box registered with USPS, or a private mailbox at a commercial mail facility. Virtual addresses that receive mail qualify. Fake ones don't.

Clear unsubscribe mechanism. Easy to find and use. No fees, no login required, no more than one step. The link must stay functional for at least 30 days after sending.

Honor opt-out requests within 10 business days. Once someone unsubscribes, you have 10 business days to stop sending. You can't add them back to a different list or sell their address.

You can verify your sending setup is clean using the free Email Header Analyzer. For anything that looks like an unsubscribe compliance issue, the SOS call is the better fit.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me audit my emails against CAN-SPAM requirements.

I read this on the Email Almanac about the main requirements of CAN-SPAM. I want to audit my emails against each requirement. My emails: 1. Does my From name and address accurately identify my organization? yes / no / sometimes 2. Do my subject lines accurately reflect the email content? yes / sometimes / unsure 3. Do I include a physical postal address in every commercial email? yes / no / sometimes 4. Is my unsubscribe link easy to find and functional? yes / no / unsure 5. How quickly do I process unsubscribe requests? immediately / within 10 days / slower / unsure --- My details: - Email platform/ESP: e.g. Mailchimp, Kit, Klaviyo, HubSpot - Domain(s): your sending domain - Sending volume: e.g. 5,000/month - Audience locations: US only / some EU / global - Business type: B2B / B2C / newsletter / e-commerce - Any recent deliverability issues: bounces / complaints / blocklist / inbox placement problems

Edit the yellow boxes, then send to the AI of your choice.