What content is prohibited by email laws (false headers, deceptive subject lines)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Email laws in the US, Canada, and EU have one thing in common. They ban false or misleading sender information. Your From address can't be faked. Your Reply-To can't pretend to be someone else. You can't forge headers to hide your identity. That's the baseline everywhere.

Deceptive subject lines are specifically prohibited under CAN-SPAM in the US and similar rules elsewhere. Your subject line has to reflect what's actually in the email. No "RE: Your Recent Order" if you've never corresponded with the person. No "Urgent: Account Problem" for a promotional email. Readers should know what they're opening before they click.

Beyond headers and subject lines, email laws require a few other things. You need to identify yourself as the sender clearly. You need a valid physical address somewhere in the email (not hidden in tiny text). You need an actual working unsubscribe link, and you need to honor opt-outs within the legal timeframe. In the US, that's 10 business days. In Canada (CASL), it's more restrictive. In the EU (GDPR), it's about consent and data rights, not just unsubscribe mechanics.

The penalties matter. CAN-SPAM violations can cost you up to $50,120 per email sent. That's not a rounding error. That's why compliance isn't negotiable. These rules exist because senders used to do terrible things. False headers, invisible unsubscribe links, deceptive subject lines. The law closed those loopholes.

Note: This overview covers the key rules, but it's not legal advice. Email law is complex and varies by jurisdiction. If you're unsure about your specific setup, talk to someone who practices email law in your area.

Related: CAN-SPAM, GDPR, unsubscribe rules.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get personalized compliance advice for your email program.

I read this on the Email Almanac about prohibited email content: "Email laws ban false sender information, deceptive subject lines, hidden unsubscribe links, and missing physical addresses. CAN-SPAM, CASL, and GDPR each have specific timeframes and penalties." Help me apply this to MY specific situation: 1. What should I check in my current emails right now 2. What should I fix in my templates 3. How do I know if I'm compliant 4. Where do I start --- My details (fill in what applies, the more you share, the better the advice): - Email platform/ESP: e.g. Mailchimp, SendGrid, Postmark, HubSpot, custom SMTP - Domain(s): your sending domain(s) - Sending volume: e.g. 5,000/month or 500/day - Type of email: newsletter / promotional / transactional / automated series - Design approach: [HTML template / drag-and-drop builder / plain text / custom coded] - Template tool: ESP builder, MJML, Stripo, Bee, custom HTML - Image hosting: ESP / CDN / inline / base64 - Personalization used: first name, dynamic content, product recs, none - Dark mode support: yes / no / unsure - Accessibility considerations: yes / no / trying to improve - Target audience: B2B / B2C / mixed, describe typical reader - Brand guidelines: strict / flexible / none - Current challenge: [spam filters, rendering issues, low engagement, design consistency]

Edit the yellow boxes, then send to the AI of your choice.