What CAN-SPAM covers
Passed in 2003 and enforced by the U.S. Federal Trade Commission, the CAN-SPAM Act sets the rules for commercial email — any message whose primary purpose is to advertise or promote a product or service. A few points surprise people: the law is not limited to bulk mail, so a single one-to-one sales email counts; there is no exemption for business-to-business email; and “transactional” messages (receipts, account notices) are treated separately and are mostly exempt. If your message is selling something, assume CAN-SPAM applies.
The seven rules
The FTC distills the law into seven requirements. Every commercial message has to satisfy all of them:
- Don't use false or misleading header information. Your
From,To,Reply-To, and routing details — including the originating domain and email address — must be accurate and identify who sent the message. - Don't use deceptive subject lines. The subject has to reflect what is actually in the message.
- Identify the message as an ad. You get latitude in how, but you must disclose clearly and conspicuously that the message is an advertisement.
- Tell recipients where you are located. Every message needs a valid physical postal address — a street address, a USPS-registered P.O. box, or a properly registered private mailbox.
- Tell recipients how to opt out. Include a clear, conspicuous explanation of how to stop receiving email from you.
- Honor opt-out requests promptly. Process them within 10 business days (more on this below).
- Monitor what others do on your behalf. If you hire an agency or platform to send your mail, you are still legally responsible for compliance — you cannot outsource the liability.
The opt-out rules, in detail
The opt-out requirements are where senders most often slip. CAN-SPAM says the mechanism you offer must be able to process requests for at least 30 days after you send the message, and you must honor a valid unsubscribe within 10 business days. You cannot charge a fee, require any personal information beyond an email address, or make the recipient take any step other than sending a reply or visiting a single web page. You also may not sell or transfer an address once someone has opted out.
What it costs to get wrong
CAN-SPAM penalties are assessed per email, not per campaign. Each separate message in violation can draw a civil penalty of up to $53,088 (a figure the FTC adjusts for inflation), so a single non-compliant send to a large list carries real exposure. Deceptive practices can also trigger additional penalties under other FTC authority.
How CAN-SPAM fits with Gmail and Yahoo's rules
CAN-SPAM and the mailbox-provider rules overlap but are not the same. CAN-SPAM is the legal floor that applies to all commercial senders. The Gmail & Yahoo sender requirements go further for bulk senders — for example, they mandate RFC 8058 one-click unsubscribe, which CAN-SPAM does not strictly require. Meeting the law keeps you out of legal trouble; meeting the provider rules keeps you out of the spam folder. You want both.
Run your email through the checklist
Rather than eyeball every rule, let the checker do it. Paste your newsletter or upload the raw .eml and it looks for a physical address, a clear opt-out, honest headers, and the unsubscribe mechanics — then gives you a plain-English verdict on what to fix.