CAN-SPAM

CAN-SPAM is the U.S. commercial email law. Learn what it covers, core requirements, transactional-email differences, and SaaS email implications.

CAN-SPAM is the U.S. law that sets rules for commercial email. It gives recipients the right to opt out of future marketing email and requires senders to use accurate sender information, non-deceptive subject lines, a valid postal address, and a clear way to unsubscribe.

This page is a plain-language overview, not legal advice.

What CAN-SPAM covers

CAN-SPAM applies to commercial email whose primary purpose is advertising or promoting a commercial product or service. The FTC says the law does not apply only to bulk email and does not exempt business-to-business email.

The key question is the primary purpose of the message.

Message type

Typical example

CAN-SPAM treatment

Commercial email

Newsletter, promotion, product announcement

Must follow CAN-SPAM commercial email requirements

Transactional or relationship email

Receipt, account notice, warranty, security update

Mostly exempt except truthful routing/header information

Mixed message

Receipt plus promotion

Primary purpose decides treatment

If the subject line or opening content makes the email feel promotional, treat it carefully as commercial.

Core CAN-SPAM requirements

Based on the FTC's business guidance, commercial emails should meet these requirements.

Use accurate header information. From, To, Reply-To, routing information, domain, and email address should accurately identify the sender.

Do not use deceptive subject lines. The subject should reflect the content of the message.

Identify the message as an ad when required. The FTC gives flexibility in how this is done, but the disclosure must be clear and conspicuous.

Include a valid physical postal address. This can be a current street address, properly registered post office box, or qualifying private mailbox.

Provide a clear opt-out method. Recipients need an easy way to stop future marketing email.

Honor opt-outs promptly. The FTC states opt-out mechanisms must work for at least 30 days after the email is sent, and opt-out requests must be honored within 10 business days.

Monitor vendors and agencies. A sender cannot contract away legal responsibility if another company handles email marketing on its behalf.

CAN-SPAM and transactional email

Transactional and relationship messages are treated differently from commercial email when their primary purpose fits a narrow set of transaction/account categories. Examples include confirming a transaction, giving account or security information, notifying someone about an account relationship, or delivering something the user already agreed to receive.

For SaaS teams, examples include:

  • Account verification

  • Password reset

  • Receipt or invoice

  • Security alert

  • Terms or account-status notice

  • Product export or report-ready notification

Do not assume every customer email is transactional just because the recipient has an account. If the email mainly promotes a product, upgrade, or offer, treat it as commercial.

SaaS best practices

Keep transactional and marketing content separate. Do not bury receipt, login, or account information below promotional copy.

Keep unsubscribe rules clear. Marketing email needs an opt-out path. Account-critical transactional email should not be blocked accidentally by marketing unsubscribes.

Use honest subject lines. Avoid fake Re:, Fwd:, urgent language, or subject lines that imply a transaction when the message is promotional.

Use a monitored reply path. CAN-SPAM mentions accurate Reply-To information; from a user-experience perspective, replies should also go somewhere your team reads.

Document your suppression logic. Make sure opt-outs apply across campaigns, imports, and lifecycle workflows.

Check mailbox-provider rules too. Gmail and Yahoo sender requirements add authentication, spam-rate, and unsubscribe expectations for senders, especially higher-volume senders.

FAQ

What is CAN-SPAM?
CAN-SPAM is the U.S. law that sets rules for commercial email, gives recipients the right to opt out, and requires accurate sender information, non-deceptive subject lines, a postal address, and a clear unsubscribe method.

Does CAN-SPAM apply to B2B email?
Yes. The FTC says the law makes no exception for business-to-business email when the message is commercial.

Does CAN-SPAM require opt-in consent?
CAN-SPAM is mainly an opt-out law for commercial email, but other countries, states, industries, platforms, or contracts may require stricter consent. Get legal advice for your specific situation.

How fast do opt-outs need to be honored?
The FTC says opt-out requests must be honored within 10 business days, and the opt-out mechanism must work for at least 30 days after the email is sent.

Do transactional emails need unsubscribe links?
Pure transactional or relationship messages are mostly exempt from CAN-SPAM's commercial email requirements, but they still cannot use false or misleading routing information. Mixed messages depend on their primary purpose.

Who is responsible if a vendor sends email for me?
The FTC says a company cannot contract away legal responsibility. Both the promoted company and the sender may be held responsible.