What is CAN-SPAM Act?

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing) is a United States federal law enacted in 2003 that establishes rules for commercial email messages. It applies to any email whose primary purpose is commercial — advertising or promoting a product, service, or business — and it governs both bulk and individual commercial messages sent to recipients in the United States.

CAN-SPAM sets several specific requirements that every commercial email must meet. The email must not use deceptive or misleading header information — the "From," "To," and "Reply-To" fields must accurately identify the sender. Subject lines cannot be misleading about the content of the message. The email must clearly identify itself as an advertisement if it is one. Every commercial email must include the sender's valid physical postal address, which can be a street address, a registered post office box, or a private mailbox registered with a commercial mail receiving agency.

The opt-out requirement is one of CAN-SPAM's most important provisions. Every commercial email must include a clear and conspicuous mechanism for the recipient to opt out of future emails. This can be an unsubscribe link, a reply-to instruction, or another reasonable method. Once someone opts out, you must honor the request within 10 business days. You cannot charge a fee, require personal information beyond an email address, or force the recipient through multiple steps to unsubscribe.

Penalties for CAN-SPAM violations are substantial. Each non-compliant email can result in fines up to $50,120, and multiple parties can be held liable for the same violation — including both the company whose product is promoted and the company that originated the email. In severe cases involving aggravated violations like harvesting email addresses or using automated tools to generate fake addresses, criminal penalties including imprisonment may apply.

An important distinction for B2B cold email senders: CAN-SPAM does not require prior consent or an existing relationship before you can email someone. Unlike GDPR and CASL, CAN-SPAM operates on an opt-out model rather than an opt-in model. This means you can legally send unsolicited commercial email in the US as long as you follow all the rules — accurate headers, honest subject lines, physical address, and a working unsubscribe mechanism.

However, legal compliance does not guarantee deliverability. Even CAN-SPAM-compliant emails can land in spam if they trigger content filters or come from a sender with poor reputation. Smart outreach teams treat CAN-SPAM as a floor — the bare minimum requirement — and layer on deliverability best practices and genuine personalization to ensure their emails are both compliant and effective.

Outreach platforms like Supapitch include built-in CAN-SPAM compliance features such as automatic unsubscribe links, sender identification, and physical address inclusion. These safeguards reduce the compliance burden on sales teams and help prevent accidental violations that could expose the company to legal risk.