Skip to main content

What Is CAN-SPAM?

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act) is a United States federal law enacted in 2003 that sets the rules for commercial email. It is enforced by the Federal Trade Commission (FTC) and establishes requirements for commercial messages, gives recipients the right to stop receiving emails, and spells out penalties for violations.
CAN-SPAM applies to any commercial email sent to US recipients, regardless of where the sender is located. If you send marketing emails to people in the United States, you must comply.

Who Must Comply

CAN-SPAM applies to any sender of “commercial electronic mail messages” — any email whose primary purpose is the commercial advertisement or promotion of a product or service. This includes:
  • Marketing and promotional emails
  • Newsletters with commercial content
  • Transactional emails that contain significant commercial content beyond the transaction itself
Even if your business is based outside the United States, CAN-SPAM applies to you if your emails reach US recipients.

The Seven Requirements

1

Don't use false or misleading header information

Your From, To, Reply-To, and routing information must be accurate and identify the person or business that initiated the message. In Lettr, always send from a verified domain that belongs to your organization.
2

Don't use deceptive subject lines

The subject line must accurately reflect the content of the message. Do not use misleading language to trick recipients into opening the email.
3

Identify the message as an ad

If your email is commercial or promotional in nature, you must clearly and conspicuously disclose that the message is an advertisement. The law gives you flexibility in how to do this, but it must be clear.
4

Include your physical postal address

Every commercial email must include your valid physical postal address. This can be a street address, a PO Box registered with the US Postal Service, or a private mailbox registered with a commercial mail receiving agency.
5

Tell recipients how to opt out

You must provide a clear and conspicuous mechanism for recipients to opt out of future commercial emails. The opt-out process must be easy to find, easy to use, and available for at least 30 days after the message is sent.
Lettr handles unsubscribe processing automatically when you use the data-msys-unsubscribe="1" attribute on your unsubscribe link. The recipient is added to your suppression list and no further action is needed on your part.
6

Honor opt-out requests within 10 business days

Once a recipient opts out, you must stop sending them commercial email within 10 business days. You cannot charge a fee, require any information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single web page.
When using Lettr’s built-in unsubscribe mechanism, opt-outs are processed immediately — well within the 10-business-day requirement. You can monitor unsubscribe activity through the unsubscribe webhook event.
7

Monitor what others do on your behalf

Even if you hire another company to handle your email marketing, you are still legally responsible for compliance. Both the company whose product is promoted and the company that sends the message can be held liable.

Transactional vs Commercial Email

CAN-SPAM treats transactional and commercial emails differently. Transactional emails have lighter requirements but must still meet basic honesty standards.
A transactional email is one that facilitates an already agreed-upon transaction, provides warranty or product information, updates account status, or delivers goods or services. Examples include order confirmations, shipping notifications, and password resets. If a transactional email contains significant commercial content, it may be reclassified as commercial.

Implementation in Lettr

Include your physical address in every commercial email template:
Use the data-msys-unsubscribe="1" attribute on any link to enable Lettr’s automatic unsubscribe processing:
When a recipient clicks this link, Lettr will:
  1. Add the recipient to your suppression list
  2. Fire an unsubscribe webhook event
  3. Prevent future emails from being delivered to that address

Accurate From Address

Always send from a verified domain in Lettr. Use a From address that clearly identifies your business:

Honest Subject Lines

Use Lettr’s template variables to create dynamic but accurate subject lines:

Penalties

Violations of the CAN-SPAM Act can result in fines of up to $50,120 per email per violation. Both the sender and the company whose product is promoted can be held liable. In severe cases, criminal penalties including imprisonment may apply.
Multiple parties can be held responsible for a single violation:
  • The company whose product or service is promoted
  • The individual who originated or transmitted the message
  • Any third party that assists in the transmission

Common Mistakes

CAN-SPAM requires opt-outs to be honored within 10 business days. Some senders use manual processes that cause delays. With Lettr’s data-msys-unsubscribe="1" attribute, unsubscribes are processed instantly, eliminating this risk.
Every commercial email must include a valid physical postal address. This is one of the most commonly overlooked requirements. Add your address to your email templates and ensure it is present in every commercial send.
Using subject lines like “Re:” or “Fwd:” on emails that are not replies or forwards is deceptive. Similarly, implying urgency or personal familiarity that does not exist violates the Act. Keep subject lines honest and reflective of the email content.
CAN-SPAM does not require prior consent to send commercial email — it follows an opt-out model. However, purchased lists are still risky because they often contain invalid addresses, spam traps, and unengaged recipients, which will damage your deliverability. Even though sending to a purchased list may technically comply with CAN-SPAM, it is strongly discouraged.

CAN-SPAM vs GDPR

If you send email to recipients in both the US and the EU/EEA, you need to understand the differences between these two frameworks.
If you send to both US and EU audiences, the simplest approach is to comply with GDPR for all recipients, since its requirements are stricter and encompass CAN-SPAM compliance.

GDPR Email Compliance

Understand GDPR requirements for email marketing to EU recipients.

Unsubscribe Best Practices

Implement effective unsubscribe flows that keep you compliant and protect your reputation.

Google & Yahoo Requirements

Meet the sender requirements enforced by major mailbox providers.

Deliverability Best Practices

Optimize your sending practices for maximum inbox placement.