What content is prohibited by email laws (false headers, deceptive subject lines)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Email laws in the US, Canada, and EU have one thing in common. They ban false or misleading sender information. Your From address can't be faked. Your Reply-To can't pretend to be someone else. You can't forge headers to hide your identity. That's the baseline everywhere.
Deceptive subject lines are specifically prohibited under CAN-SPAM in the US and similar rules elsewhere. Your subject line has to reflect what's actually in the email. No "RE: Your Recent Order" if you've never corresponded with the person. No "Urgent: Account Problem" for a promotional email. Readers should know what they're opening before they click.
Beyond headers and subject lines, email laws require a few other things. You need to identify yourself as the sender clearly. You need a valid physical address somewhere in the email (not hidden in tiny text). You need an actual working unsubscribe link, and you need to honor opt-outs within the legal timeframe. In the US, that's 10 business days. In Canada (CASL), it's more restrictive. In the EU (GDPR), it's about consent and data rights, not just unsubscribe mechanics.
The penalties matter. CAN-SPAM violations can cost you up to $50,120 per email sent. That's not a rounding error. That's why compliance isn't negotiable. These rules exist because senders used to do terrible things. False headers, invisible unsubscribe links, deceptive subject lines. The law closed those loopholes.
Note: This overview covers the key rules, but it's not legal advice. Email law is complex and varies by jurisdiction. If you're unsure about your specific setup, talk to someone who practices email law in your area.
Related: CAN-SPAM, GDPR, unsubscribe rules.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.