I’ve been doing email marketing for clients for over fifteen years. Over those years, I’ve had some version of the same conversation dozens of times — usually after something has already gone wrong. A client sends an email to 204 people who unsubscribed months ago. A marketer creates a new list instead of importing into the existing one. A CRM system sends a prospecting blast with “Florida, USA” as the physical address. Someone gets the email twice because nobody checked the marketing lists.

Each of those is a real situation I’ve dealt with. Each one was preventable. So I’m writing this as the definitive reference I can point clients and collaborators to, so we can spend less time cleaning up messes and more time actually doing good marketing.

A quick note on terminology before we get into the requirements: throughout this article I’ll use ESP — short for Email Service Provider — to refer to the platforms used to send marketing email. ESPs and marketing automation platforms are overlapping categories; some tools are purpose-built for email (ESPs in the traditional sense), while others are broader marketing automation platforms that include email as one of many channels. The distinction matters less than the compliance obligations, so I’m using ESP as a shorthand for both.

Let’s talk about CAN-SPAM — what the law actually requires, what the ethical obligations are beyond the law, and the operational practices that keep you out of trouble.

What CAN-SPAM Actually Says (and Doesn’t Say)

The CAN-SPAM Act is the US federal law governing commercial email, enforced by the Federal Trade Commission (FTC). It’s worth understanding what it actually requires, because there are a lot of myths floating around — including the persistent one that you can’t send marketing email to someone who hasn’t opted in.

That’s not what CAN-SPAM says. Unlike Canada’s CASL (more on that in a moment), US law operates on an opt-out basis. You can legally send commercial email to someone who hasn’t requested it, as long as you meet certain requirements and stop when they ask you to.

Here are the six core requirements:

1. You must honor opt-out requests promptly. If someone unsubscribes, you have 10 business days to stop sending them marketing emails. That’s the law. I once flagged a situation where 204 people received an email from a client who had already unsubscribed from that list. The root cause was a list management mistake — someone imported new contacts into a freshly created list instead of the existing master list, bypassing all the suppression data the ESP had accumulated. That’s exactly the kind of thing this requirement is designed to prevent.

2. You must include a working unsubscribe mechanism. The opt-out process has to be simple — no paying a fee, no requiring more than an email address, no jumping through hoops. The mechanism needs to remain functional for at least 30 days after the email is sent. An unsubscribe link is the standard implementation. If your email doesn’t have one, you’re not compliant.

3. You must include a valid physical postal address. This one trips people up. I flagged a prospecting email from a company that listed “Florida, USA” as their address. That doesn’t qualify. You need a real street address, a registered PO box, or a private mailbox. A state and country is not sufficient.

4. Your headers must accurately identify the sender. The “From,” “To,” and routing information — including the originating domain and email address — must be accurate and identify the person or business initiating the message. I’ve seen CRM-generated prospecting emails that make it look like a personal note from a specific person, with a reply-to that goes to a generic company address. That kind of mismatch isn’t always a clear CAN-SPAM violation, but it creates confusion and drives spam complaints — so it’s worth cleaning up regardless.

5. Your subject line must be non-deceptive. The subject line must accurately reflect the content of the message. This is its own requirement, separate from header accuracy, and it’s worth treating it that way. A subject line engineered to manipulate open rates by misrepresenting what’s inside isn’t just ethically questionable — it’s a compliance issue.

6. You must identify the message as an advertisement. The law requires that you disclose clearly and conspicuously that the message is an advertisement, though it doesn’t specify the exact wording. This is typically handled in the email footer.

The legal repercussion for non-compliance: According to the FTC’s CAN-SPAM compliance guide, each non-compliant email can result in a fine of up to $53,088 per email address. Those fines can be assessed to both the sending company and the client whose product is being promoted — so if you’re an agency, you and your client share the exposure. I’ve been candid with clients about this: while I don’t know of many cases where the full fine has been levied, the risk is real and the compliance steps are straightforward.

One more thing CAN-SPAM does NOT cover: online advertising platforms. Using an email list to create a Custom Audience on Facebook, a Customer Match list in Google Ads, or a Tailored Audience on Twitter is not governed by CAN-SPAM. Those platforms have their own terms of service that you need to review, but the CAN-SPAM framework simply doesn’t apply to ad targeting.

Marketing Emails vs. Transactional Emails: What CAN-SPAM Actually Covers

One important distinction that often gets glossed over: CAN-SPAM applies to commercial email, which the FTC defines as email whose primary purpose is advertising or promoting a commercial product or service. That’s your newsletters, promotional campaigns, prospecting emails, and product announcements.

It does not apply — or applies with considerably more flexibility — to transactional or relationship emails. These are messages that facilitate an already-agreed-upon transaction or provide information the recipient requested. Common examples include:

Order confirmations and shipping notifications
Password reset and account security emails
Appointment reminders
Billing statements and receipts
Support ticket updates

Transactional emails are not required to include an unsubscribe link, and the “identify as an advertisement” requirement doesn’t apply. That said, the header accuracy requirements still do — your From address still has to be truthful.

The practical risk here is in the gray zone. A single email can contain both transactional and commercial content, and the FTC looks at the “primary purpose” to determine which rules apply. An order confirmation that includes a promotional upsell is still primarily transactional. But an email that opens with a promotional offer and includes an order confirmation buried at the bottom? That’s likely treated as commercial.

The safest approach: keep your transactional and marketing messages separate. Don’t use transactional email templates as a vehicle for promotions — you lose the compliance flexibility of transactional email and risk confusing your recipients about what they’re receiving and why.

One more practical note: your ESP’s acceptable use policies may have their own definitions and restrictions here, independent of what the law says. Check your platform’s documentation on transactional vs. marketing email before assuming you have free rein.

Canada Is a Different Animal: CASL

If you’re sending to Canadian recipients, everything I just said about opt-out gets flipped on its head.

Canada’s Anti-Spam Legislation (CASL) requires explicit opt-in before you send a promotional email. You cannot send marketing email to a Canadian recipient who hasn’t specifically given you permission to do so. Full stop.

Canada has also been notably aggressive about enforcement — they’ve gone after foreign companies and have fined individual senders for sending fewer than 70 emails. This isn’t theoretical. If you have Canadian contacts in your lists, you need to handle them differently than US contacts, and you need to make sure your CRM and email platform can distinguish between them. This has come up in my own client work: I’ve had to adjust email footers and flag the need to separate Canadian contacts from the general marketing list to achieve CASL compliance.

The practical upshot: if your list is entirely US-based, CAN-SPAM applies. If there’s any chance Canadian recipients are in there, you need to be CASL-aware.

The Ethics Are Simpler Than the Law

Here’s the thing — the legal framework is actually less important than the ethical and customer experience question, which is simpler: don’t send people email they don’t want.

Sending a marketing email to someone who has already unsubscribed isn’t just a potential legal violation. It’s a terrible customer experience. It signals that you either don’t care about their preferences or you can’t manage your own data. Neither is a good look for a brand. I’ve described it plainly to clients as “a good way to piss off a customer,” and I stand by that framing. Legal exposure aside, it’s just bad marketing.

The same principle applies to prospecting. I’ll be honest: I’m not a fan of prospecting emails to cold lists, regardless of whether they’re technically legal. There’s a reason direct mail often outperforms cold email for prospecting — I covered this in 4 Email Marketing Problems Direct Mail Solves. Customers can’t always tell the difference between a compliant cold outreach and spam — and in many cases, they experience it the same way. The bar for what people consider spam is personal and subjective. CAN-SPAM is the legal floor, not the ethical ceiling.

Content relevance matters too. If someone is on your list, the content should be relevant to them. How to Grow Your Email Marketing Audience is a useful article if growing a permission-based list is a priority. I once advised a client sending an open house invitation to be thoughtful about framing — the message should acknowledge the recipient’s relationship. “We’re looking forward to seeing you Thursday” reads very differently to someone who’s already RSVPed than a generic blast does. Small things like this separate good email marketing from noise.

The Operational Reality: Where Things Actually Break Down

In my experience, CAN-SPAM violations almost never happen because someone decided to break the law. They happen because of process failures and list management mistakes. Here’s how to prevent them.

Always import new contacts into your existing master list, not a new one.

This is the single most common mistake I see — and it’s worth understanding why it matters, because different ESPs handle list management very differently.

Some platforms are built around a single master list model, where all contacts live in one place and segmentation is used to control who gets what. In that model, unsubscribe data, bounce history, and abuse complaints are all stored centrally — so when you import new contacts, they automatically get checked against existing suppressions. Import into a freshly created list instead, and you bypass all of that history entirely. You’ll end up emailing people who already told you to stop.

Other platforms allow completely distinct lists that can be unsubscribed from independently. In that model, someone might unsubscribe from one list but remain active on another — which may be intentional if they represent genuinely different programs. But it can also create a trap: a contact who believes they unsubscribed from your company’s emails might only have unsubscribed from one specific list, and will keep receiving email from others. That’s a compliance risk and a customer experience problem.

The bottom line: understand how your specific platform manages list data and suppressions before you import anything. Don’t assume the architecture — verify it. And once new contacts are in the right place, use segmentation to send to just the new people if that’s what you need. That’s what segmentation is for.

ESPs are stricter than the law.

This surprises some people. Most ESPs’ acceptable use policies are more restrictive than CAN-SPAM itself. They generally don’t allow you to simply purchase an email list and blast it. They monitor sending behavior for higher-than-normal rates of unsubscribes, bounces, and abuse complaints — and if those rates look problematic, they will flag your account, warn you, or suspend it outright. I’ve had a client’s account temporarily suspended because of a compliance issue. It’s fixable, but it’s disruptive and avoidable. Don’t create new lists to circumvent suppression data, and validate your lists before importing.

Run old, unknown lists through an email validation service.

When you’re importing contacts from a CRM, an old spreadsheet, or any source where you don’t know the current validity of the addresses, run them through an email validation service first to remove stale addresses. High bounce rates hurt your sender reputation, which affects deliverability — meaning your good emails go to spam too. Keeping your list clean is part of protecting your ability to reach the people who actually want to hear from you.

Transfer your unsubscribe list when you change ESPs or hand off a client.

If a client leaves your agency and takes their email marketing in-house, or if they switch to a new email service provider, they absolutely must receive and import the master unsubscribe list. This isn’t optional — it’s a legal requirement to maintain CAN-SPAM compliance. The cleaned list of undeliverable addresses should go with them too. This is a step that’s easy to forget in a transition and can cause real problems.

Don’t give untrained people the ability to bypass compliance controls.

Sales reps are often the source of compliance risk, not because they’re careless people, but because they’re moving fast, they have their own contact lists, and they don’t always understand the downstream consequences. In a CRM context, I’ve recommended removing the ability for sales reps to manually check a “send marketing emails” box on contacts. The legal and brand risk of a sales rep adding someone to a marketing list without understanding the implications is too high. If marketing emails are triggered by a CRM field, that field should be controlled by people who understand what it means.

Have a formal process — even a simple one.

Email marketing is not complicated, but it has a lot of steps that can go wrong. A simple campaign process document goes a long way. What I’ve used and recommended over the years includes two documents: a one-time customer setup document that captures CAN-SPAM compliance information, from-address configuration, and other account-level details; and a per-campaign document with subject line, list, links, content, and a QA checklist with approval sign-off. When an error happens — and errors happen — a quick review almost always shows that the process wasn’t followed. The process exists to make sure the things that seem obvious to the person who set it up are also obvious to whoever’s running the campaign six months later.

The Short Version

If you take nothing else from this, take these five things:

Email marketing is one of the most effective channels available to marketers precisely because you own the list. Protecting that list — and the deliverability and trust that come with it — is worth taking seriously.
CAN-SPAM is an opt-out law in the US, but CASL in Canada requires explicit opt-in. Know which applies to your recipients.
Fines can reach up to $53,088 per email address and can be assessed to both the sending company and the client. The liability is shared.
Most violations aren’t intentional — they’re process and list management failures. Import into your master list, use segmentation, validate old addresses, and transfer unsubscribe lists when changing platforms.
The legal requirements are the floor. The ethical standard is simpler: send relevant email to people who want it, and stop when they ask you to.