CAN-SPAM is the US federal law governing commercial email. Understanding what it actually requires — and what it doesn't — is essential for any MSP doing cold outreach.
Maximum penalty per email violation (2025 adjusted)
Source: FTC
Maximum time to process opt-out requests
Source: FTC
The good news:
CAN-SPAM does NOT require prior consent to send commercial email. It regulates how you send, not whether you can send.
What CAN-SPAM Actually Requires
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act) applies to any "commercial electronic message" — email whose primary purpose is commercial advertisement or promotion.
The law focuses on:
- • Accurate identification of who's sending
- • Honest subject lines
- • Giving recipients a way to opt out
- • Honoring opt-out requests promptly
The 7 Core Requirements
Accurate Header Information
"From," "To," "Reply-To," and routing information must accurately identify the person or business initiating the message. No spoofing, no fake sender names.
Non-Deceptive Subject Lines
Subject lines cannot mislead recipients about the email's contents or purpose. "RE:" on a first email? That's deceptive. "Your invoice" when it's a sales pitch? Also deceptive.
Identify as Advertisement
The law requires disclosure that the message is an advertisement. However, the FTC has significant flexibility on how this is done — it doesn't require a specific label.
Valid Physical Postal Address
Every email must include a valid physical postal address. This can be a street address, PO Box (if registered with USPS), or private mailbox (if registered with a commercial mail receiving agency).
Working Opt-Out Mechanism
You must provide a clear, conspicuous way to opt out of future emails. This can be a reply instruction, unsubscribe link, or other obvious method. Must be easy to find and use.
Honor Opt-Outs Within 10 Business Days
When someone opts out, you must stop emailing them within 10 business days. You cannot charge a fee, require personal information beyond an email address, or make them jump through hoops.
Opt-Out Mechanism Must Work for 30 Days
Your unsubscribe link or mechanism must be able to process opt-out requests for at least 30 days after the email is sent. Broken unsubscribe links = violation.
Pro Tip
What CAN-SPAM Does NOT Require
There are many myths about what CAN-SPAM requires. Here's what it does not require:
You can email someone who hasn't opted in. That's the whole point of cold email.
No requirement for confirmation emails or two-step opt-in processes.
Unlike GDPR or CASL, CAN-SPAM is opt-out, not opt-in.
While you must disclose commercial nature, no specific language is mandated.
The key distinction:
CAN-SPAM is an opt-out law, not an opt-in law. You can send cold emails in the US — you just have to follow the rules about how you send them.
Penalties: $53,088 Per Email
$53,088
Maximum penalty per email (2025 adjusted for inflation)
No Cap
Total penalties can be unlimited based on volume
Who enforces CAN-SPAM?
- • FTC — Primary enforcement authority
- • State Attorneys General — Can bring actions on behalf of residents
- • ISPs — Can sue for damages
- • Note: There is NO private right of action — individuals cannot sue
Pro Tip
Common Violations MSPs Make
Do This
- Use your real name and company in From field
- Write subject lines that match email content
- Include your physical business address
- Provide clear unsubscribe instructions
- Process opt-outs within 10 business days
- Keep unsubscribe links working for 30+ days
Avoid This
- Use 'RE:' or 'FWD:' on first-touch emails
- Use misleading subjects like 'Your account'
- Hide or bury the unsubscribe option
- Require login to unsubscribe
- Ignore unsubscribe requests
- Remove then re-add people who opted out
CAN-SPAM Compliance Checklist
- "From" field accurately identifies sender
- "Reply-To" goes to a monitored inbox
- Subject line reflects actual email content
- No deceptive subject line tricks (RE:, FWD:)
- Valid physical postal address included
- Clear unsubscribe mechanism provided
- Unsubscribe is easy to find and use
- Opt-outs processed within 10 business days
- Unsubscribe links work for at least 30 days
- Suppression list synced across all campaigns
- Third-party senders contracted for compliance
How Pipeline Engine Handles Compliance
Pipeline Engine is built with CAN-SPAM compliance as a foundation, not an afterthought:
Proper Sender Identification
All emails use accurate From fields and your verified business identity.
Automatic Unsubscribe Handling
Every email includes compliant opt-out mechanisms that work immediately.
Global Suppression Lists
Opt-outs are synced across all campaigns instantly — no one gets emailed twice.
Physical Address Management
Your business address is automatically included in email footers.
Focus on selling, not compliance paperwork.
Pipeline Engine handles the technical compliance requirements so you can focus on writing emails that get responses — not worrying about $53,088 penalties.
Legal Disclaimer
This content is provided for educational purposes only and does not constitute legal advice. Regulations vary by jurisdiction and change frequently. We strongly recommend consulting with a qualified attorney or compliance professional regarding your specific situation before implementing any outreach program. Pipeline Engine is designed with compliance in mind, but ultimate responsibility for legal compliance remains with the business.