What counts as misleading or fraudulent content?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Picture a subscriber opening an email with a subject line that reads "Your order has shipped" when they never placed an order. That's the kind of false context that puts you squarely in fraudulent territory under CAN-SPAM and similar laws. The test isn't whether you meant to deceive anyone. It's whether a reasonable recipient could be misled about what they're getting or who sent it.
Misleading content breaks down into a few categories. False headers mean faking a "From" address so it looks like the email came from someone other than the actual sender. Deceptive subject lines are ones that have no connection to the body content, or that manufacture urgency through claims the email doesn't support ("Your account is about to be deleted" when it isn't). Falsely implied relationships, like making it sound like you have an existing business relationship when you're actually cold-emailing, also qualify. Any of these can get your account suspended by your ESP before the legal issues even surface.
The harder cases involve content that's technically true but functionally misleading. A subject like "We noticed something about your account" implies a problem that doesn't exist. Discounts advertised as "up to 70% off" when only one item qualifies sit in gray territory. The working question is: if a subscriber felt tricked after opening, would they have reasonable grounds? If yes, rethink the framing. Good subject lines earn the click by being accurate, not by manufacturing false stakes.
Authentication also plays into this. Domain spoofing (sending from a look-alike domain to impersonate a trusted brand) is fraudulent on its face, and it's a tactic spammers use constantly. Proper DMARC configuration prevents others from spoofing your domain, which protects your subscribers from phishing attempts that use your brand's name. It doesn't prevent you from making misleading claims in your own emails, but it closes the impersonation vector from outside your organization.
Start your audit with subject lines and "From" names. Check whether your subject lines match the actual email content, and whether your "From" name is consistent with your brand and not mimicking another sender. Most CAN-SPAM enforcement actions target obvious cases, but the senders who never worry about this are the ones who built the habit of accuracy from the start.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.