What is the CAN-SPAM Act?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing) is US federal law governing commercial email, enacted in 2003. Unlike GDPR or CASL, it follows an opt-out model: you can send commercial email to someone without their prior permission, as long as you follow the rules and stop when they ask.
The law's key requirements cover accurate header information (no misleading From address or routing), non-deceptive subject lines, identification as an advertisement, a valid physical postal address, a clear unsubscribe mechanism, and honoring opt-out requests within 10 business days. It's enforced by the FTC with fines of up to $51,744 per non-compliant email.
The important nuance: CAN-SPAM sets the legal floor, not the practical ceiling. Gmail and Microsoft Outlook hold senders to higher standards than US law requires. You can be fully CAN-SPAM compliant and still have serious deliverability problems. Mailbox providers care about engagement, complaint rates, and authentication, not just whether your footer has a postal address.
If you're selling to or emailing anyone in Canada or the EU, CAN-SPAM alone isn't enough. Those jurisdictions have their own laws with stricter consent requirements. CAN-SPAM is a starting point, not a global compliance strategy.
Want to check whether your emails meet these standards? The free CAN-SPAM requirements checklist covers each item, and the Email Header Analyzer can verify your sending setup in 30 seconds.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.