CAN-SPAM Act Guidelines: The 2026 Compliance Checklist

TL;DR

• The CAN-SPAM Act is the U.S. law that governs every commercial email you send — including B2B cold outreach. It applies to messages, not just bulk blasts.
• There are seven core rules: no false headers, no deceptive subject lines, identify the message as an ad (where relevant), include your physical address, offer an opt-out, honor opt-outs within 10 business days, and police what vendors send on your behalf.
• Penalties run up to $53,088 per individual email in 2026, and "I didn't know" is not a defense.
• Compliance is mostly mechanical: a real from-name, an honest subject, a footer with your address, and a working unsubscribe link. Get those right and you're 90% there.
• Clean, verified sending data lowers your legal and deliverability risk — bad lists cause both spam complaints and bounce-driven reputation damage.

What is the CAN-SPAM Act?#

The CAN-SPAM Act is a 2003 U.S. federal law that sets the rules for sending commercial email — and contrary to the name, it does not ban cold email or marketing email. It regulates how you send it. The acronym stands for "Controlling the Assault of Non-Solicited Pornography And Marketing," and it's enforced by the Federal Trade Commission (FTC).

Here's the part that trips people up: there's no exemption for B2B. If you send a cold email pitching your SaaS to a procurement manager, that message is a "commercial electronic mail message" under the law, and the CAN-SPAM Act guidelines apply in full. The law also doesn't require recipients to opt in before you contact them — which is why compliant cold email is legal in the U.S. (unlike under the EU's stricter GDPR/ePrivacy regime).

Think of CAN-SPAM like the rules of the road. You're allowed to drive (send email), but you have to signal, stay in your lane, and pull over when someone asks you to stop. Break those rules and you get a ticket — except the ticket here is measured in tens of thousands of dollars per email.

What are the seven CAN-SPAM rules?#

The FTC distills the law into seven plain requirements. Memorize these — they are the entire compliance surface for most senders.

1. Don't use false or misleading header information. Your "From," "To," "Reply-To," and routing data must accurately identify who sent the message. Spoofing a domain or hiding behind a throwaway alias is a direct violation.
2. Don't use deceptive subject lines. The subject must reflect the actual content. "RE: our call yesterday" when you've never spoken is deceptive — and increasingly, a spam-filter trigger too.
3. Identify the message as an ad where appropriate. The law gives latitude on how, but the commercial nature of a pure promotion shouldn't be disguised as something it isn't.
4. Tell recipients where you're located. Every commercial email needs a valid physical postal address — a street address, a registered P.O. box, or a private mailbox registered with a commercial mail-receiving agency.
5. Tell recipients how to opt out. Include a clear, conspicuous way to decline future email — a visible unsubscribe link or reply-to-opt-out instruction.
6. Honor opt-out requests promptly. You have 10 business days to stop emailing anyone who unsubscribes, and you can't charge them, make them log in, or require anything beyond a single confirmation step.
7. Monitor what others do on your behalf. If you hire an agency or use a sending tool, you're still legally responsible. Both the company whose product is promoted and the company sending the email can be held liable.

For the authoritative version, the FTC publishes a compliance guide for business that every founder and SDR lead should read once.

Does CAN-SPAM apply to cold email and B2B outreach?#

Yes — and this is the single most misunderstood point. The CAN-SPAM Act guidelines treat a one-to-one cold prospecting email the same as a one-to-million newsletter, because the trigger is the commercial purpose of the message, not its volume.

That has three practical consequences for outbound teams:

• You can email people who never opted in. CAN-SPAM is an opt-out regime. You don't need prior consent to send a first cold email to a U.S. business contact, as long as you give them a clean way to stop.
• Every send needs the footer. Even a personalized, plain-text "Hey, saw your post" email needs a physical address and an opt-out path if its goal is to sell something.
• Your reply-to and domain must be real. Burner domains that misrepresent who you are cross from "aggressive" into "illegal."

If you also email contacts in the EU, UK, or Canada, you're layering additional laws on top. Canada's CASL and the EU's email deliverability and consent rules are stricter — CASL is opt-in by default. A safe default for global outbound is: comply with CAN-SPAM everywhere, and add explicit consent for regions that demand it.

What are the penalties for violating the CAN-SPAM Act?#

Each separate email that violates the CAN-SPAM Act can incur a civil penalty of up to $53,088 (the FTC adjusts this figure for inflation; it has climbed from the original $16,000). The number is per email, not per campaign — send 1,000 non-compliant messages and the theoretical exposure runs into eight figures.

A few aggravating factors make it worse:

• Harvesting addresses with bots or dictionary attacks, or using open relays to hide your tracks, can add extra penalties and even criminal liability.
• Multiple parties are on the hook. The brand being advertised and the entity pressing "send" can both be sued, which is why "we outsourced it" doesn't save you.
• The FTC pursues real cases. This isn't theoretical — the agency has settled CAN-SPAM actions for hundreds of thousands to millions of dollars.

The reassuring flip side: the rules are cheap to follow. The cost of compliance is a footer template and a working unsubscribe flow. The cost of non-compliance is your company's bank account.

How do you build a CAN-SPAM compliant cold email?#

Compliance is a checklist, not a judgment call. Here's the anatomy of an email that satisfies every requirement.

• From name and address that match reality. Send from a domain you control, with a recognizable sender name. No spoofing, no misleading aliases.
• A subject line that tells the truth. If the body is a sales pitch, don't dress the subject as a personal reply. Honest subjects also survive spam filters better — you can pressure-test yours with a subject line tester before you send.
• Body copy with a clear identity. The recipient should be able to tell who you are and why you're writing within the first two lines.
• A footer with your physical postal address. Street address, registered P.O. box, or CMRA mailbox — all acceptable.
• A visible opt-out. Either a one-click unsubscribe link or a plain instruction ("Reply 'unsubscribe' and I'll remove you"). It must work for at least 30 days after you send.
• A suppression process. When someone opts out, add them to a do-not-contact list that every future campaign checks against.

If writing compliant-yet-effective copy is the bottleneck, start from proven cold email templates and bolt the footer and opt-out onto each one, rather than reinventing the structure every time.

A copy-paste compliant footer#

You're receiving this because we believe [Company] may benefit from [product].
[Your Company], 123 Market St, Suite 400, San Francisco, CA 94103.
Don't want these emails? Reply "unsubscribe" and you won't hear from us again.

That's it. Three lines turn a legally exposed message into a compliant one.

How does data quality affect CAN-SPAM compliance?#

Indirectly but powerfully — and this is where most outbound programs quietly create risk. CAN-SPAM doesn't regulate where you get your list, but bad data drives the two outcomes that get you in trouble: spam complaints and hard bounces.

When you email scraped, stale, or guessed addresses, three things happen at once. You hit dead mailboxes (bounces that wreck your sender reputation), you hit spam traps (which can land your domain on a blacklist), and you irritate people who never expected to hear from you (complaints that draw regulatory and ISP scrutiny). None of that is a CAN-SPAM violation by itself, but it's the on-ramp to one.

The fix is unglamorous: send to real, verified, recently-validated addresses. Before a campaign, run your list through an email verifier to strip dead and risky addresses, and check whether your domain has been flagged with a blacklist checker. Sourcing addresses from a tool that returns confidence scores — rather than buying a static CSV of unknown provenance — keeps both your legal and your deliverability risk low.

CAN-SPAM vs GDPR: which rules apply to you?#

If your prospects span continents, you're not picking one law — you're stacking them. Here's how the two most common regimes compare for outbound senders.

The practical playbook: treat CAN-SPAM as your global floor, then add explicit consent and a documented lawful basis for EU/UK contacts. HubSpot's overview of email marketing compliance and the FTC guidance above are good starting references, but when revenue is on the line, run your specific program past counsel.

A quick CAN-SPAM compliance checklist#

Run every campaign through this before you hit send:

• Sending domain is one you own and the "From" name is accurate
• Subject line honestly reflects the body
• Message makes your identity and purpose clear up top
• Footer contains a valid physical postal address
• A working, conspicuous opt-out is present
• Opt-out requests are suppressed within 10 business days
• List was verified within the last 30–60 days
• Any vendor or agency sending on your behalf follows the same rules

If you can tick all eight, your outbound is compliant. The first four are copy; the last four are process and data.

Keep your outreach legal and landing in the inbox#

CAN-SPAM compliance and deliverability are the same project wearing two hats: both reward honest senders with clean lists and punish the ones cutting corners. The fastest way to satisfy both is to start with accurate contact data, then verify it before every send.

That's exactly what the Tomba Email Finder is built for — it returns professional email addresses with confidence scores and source attribution, so you're emailing real people at real domains instead of guessing. Pair it with Tomba's built-in email verification to drop the risky addresses before they bounce, and check the Tomba pricing tiers — the free plan gives you 25 searches a month to test the workflow before you scale. Get the data right, follow the seven rules, and your cold email stays both legal and in the inbox.