Strategy 10 min read

CAN-SPAM Compliance Guide for US E-Commerce Brands: What You Must Know

By Excelohunt Team ·
CAN-SPAM Compliance Guide for US E-Commerce Brands: What You Must Know

The CAN-SPAM Act has been US law since 2003, yet a significant number of e-commerce brands are still sending emails that violate it — often unknowingly. The FTC enforces CAN-SPAM and can impose fines of up to $51,744 per individual email in violation. For a brand sending 10,000 emails with a non-compliant footer, that’s a theoretical liability in the billions.

In practice, the FTC prioritizes egregious violators — spammers, deceptive mailers, companies that ignore unsubscribe requests. But beyond FTC enforcement, CAN-SPAM violations signal broader hygiene problems that hurt deliverability and damage subscriber trust. And increasingly, Gmail and Yahoo use CAN-SPAM compliance signals as inputs to their spam filtering algorithms.

Here is what US e-commerce brands need to know, and the specific steps to ensure your program is fully compliant.

What CAN-SPAM Actually Covers

A critical distinction first: CAN-SPAM applies to commercial electronic messages — emails whose primary purpose is commercial advertising or promotion of a product or service. This covers almost everything a marketing email program sends.

CAN-SPAM does NOT require opt-in consent. This distinguishes it from GDPR (EU) and CASL (Canada), which require explicit consent before sending. Under CAN-SPAM, you can legally send commercial email to someone who hasn’t opted in — as long as you comply with the other requirements. This is a meaningful difference for US-only brands.

However, just because it’s legal doesn’t mean it’s smart. Sending to people who haven’t opted in drives spam complaints, damages deliverability, and undermines the program. But the compliance question is distinct from the strategy question.

The 7 Core CAN-SPAM Requirements

Requirement 1: No False or Misleading Header Information

The “From,” “To,” “Reply-To,” and routing information must accurately identify the person or business sending the email. This means:

  • Your “From” name must identify your brand or company
  • Your sending email address must be a real, functional address associated with your organization
  • You cannot use someone else’s domain in your From address without authorization

Common violation: Sending from a generic address like [email protected] that is not associated with your brand. This also hurts deliverability — use a verified sending domain that matches your brand.

In Klaviyo: Your From name should be your brand name (or a recognizable variant), and your From address should be on your brand’s authenticated domain.

Requirement 2: No Deceptive Subject Lines

The subject line must not mislead recipients about the content of the message. Examples of subject lines that could violate CAN-SPAM:

  • “Re: Your account” (implying a reply to a prior exchange)
  • “Urgent: Action required on your account” (implying account security when it’s a promo)
  • “Your order has shipped” (when it’s a marketing email, not a transactional one)
  • Impersonating customer service communications for promotional purposes

What’s allowed: Teaser language, curiosity gaps, and creative subject lines are fine as long as they aren’t outright deceptive about the email’s nature. “You forgot something…” for an abandoned cart email is fine. “Important message about your recent purchase” for a promotional email could be problematic.

Requirement 3: Identify the Message as an Advertisement

CAN-SPAM requires that commercial emails be identified as advertisements, though it allows “clearly and conspicuously” without being overly prescriptive about how.

In practice, this requirement is typically satisfied by:

  • The visual design and content making the commercial purpose obvious
  • Including “Advertisement” or “Promotional” language somewhere in the email (many brands include this in the footer alongside their other disclosures)
  • Not disguising a promotional email as a transactional or personal communication

Note on transactional emails: Order confirmations, shipping notifications, and account security emails are transactional in nature and are held to a different standard under CAN-SPAM. They must not contain commercial content that is “the predominant purpose” of the message. If you add a promotion to your order confirmation (a common practice), keep it clearly secondary to the transactional content.

Requirement 4: Include Your Physical Postal Address

Every commercial email must include a valid physical postal address for your business. This can be:

  • Your business’s current street address
  • A Post Office box registered with the US Postal Service
  • A private mailbox registered with a commercial mail receiving agency

This is a hard requirement, not optional. The address must be visible in the email, not just linked or referenced.

In practice: Include your business address in your email footer on every template. In Klaviyo, you can set this globally in your Organization Settings so it auto-populates on all sends.

For e-commerce brands concerned about listing a home address: Use a PO Box or a registered agent service to provide a compliant address without exposing your residential address. Services like PostScan Mail or Earth Class Mail provide registered business addresses for a monthly fee.

Requirement 5: Honor Opt-Out Requests Promptly

CAN-SPAM requires that you honor unsubscribe requests within 10 business days. After that window, you cannot send commercial emails to someone who has opted out.

The law also specifies:

  • You must include a “clear and conspicuous” mechanism for opting out in every commercial email
  • The opt-out mechanism must be functional for at least 30 days after the email is sent
  • You cannot require recipients to provide more than their email address to unsubscribe
  • You cannot charge a fee, require registration to a website, or create unnecessary barriers to unsubscribing

In Klaviyo: The default unsubscribe link in your footer handles the technical mechanism. Klaviyo processes unsubscribes automatically and suppresses the contact within minutes of the request.

Critical: Never manually re-add someone to your list who has unsubscribed. This is a direct CAN-SPAM violation and one of the most common ways brands get into legal trouble.

Requirement 6: Monitor Third-Party Senders on Your Behalf

If you use a third party — an email marketing agency, a contractor, or a technology vendor — to manage your email sends, you are still legally responsible for their compliance with CAN-SPAM. The law explicitly covers both the company whose products are promoted and the company actually sending the email.

This means:

  • Any agency sending emails on your behalf must comply with CAN-SPAM
  • Include CAN-SPAM compliance requirements in any email marketing contract
  • Periodically audit sends made on your behalf for compliance

Excelohunt policy: All email programs we manage for US clients include full CAN-SPAM compliance review as part of setup and ongoing audits.

Requirement 7: Opt-Out Cannot Require Action Beyond an Email Address

To unsubscribe, recipients may only be required to provide their email address — nothing more. You cannot require them to:

  • Log into an account
  • Complete a survey before unsubscribing
  • Provide a reason for unsubscribing (you can ask, but it must be optional and non-blocking)
  • Navigate through multiple screens to confirm

A one-click unsubscribe in the email footer that processes immediately is the standard that meets this requirement. Gmail now requires one-click list unsubscribe headers for bulk senders (sending over 5,000 messages/day to Gmail addresses), which is a technical implementation separate from the user-facing unsubscribe link.

Gmail and Yahoo’s 2024+ Bulk Sender Requirements

While not technically CAN-SPAM requirements, Gmail and Yahoo implemented sender requirements in early 2024 that overlap significantly with CAN-SPAM principles and are enforced through inbox placement rather than legal penalties. For US e-commerce brands, failing these requirements is arguably more immediately costly than a CAN-SPAM complaint.

Requirement 1: Email authentication

  • SPF record must be configured for your sending domain
  • DKIM signature must be present (Klaviyo configures this when you set up a custom sending domain)
  • DMARC policy must be in place (minimum p=none for initial setup; p=quarantine or p=reject preferred)

If you don’t have all three configured, Google may reject or spam-folder your emails regardless of content quality.

Requirement 2: Spam rate below 0.10% Google’s Postmaster Tools measures the spam complaint rate on your sending domain. Keep it below 0.10%. Above 0.30% triggers immediate deliverability consequences.

Monitor your spam rate in Google Postmaster Tools (free). If you’re not set up on Postmaster Tools, do it today.

Requirement 3: One-click list unsubscribe For bulk senders (5,000+ messages/day to Gmail), your emails must support the RFC 8058 List-Unsubscribe-Post header, which enables the one-click “Unsubscribe” button in Gmail’s interface. Klaviyo adds this header automatically for accounts meeting the volume threshold.

State-Level Email Laws: What US E-Commerce Brands Need to Know

CAN-SPAM preempts most state email laws with one exception: state laws that target deception or false statements in commercial emails. California’s email law (Cal. Bus. & Prof. Code § 17529) in particular:

  • Prohibits using domain names or email addresses without the permission of the registrant
  • Prohibits falsifying header information
  • Creates private right of action — meaning individual California residents can sue

For US e-commerce brands selling to California residents (which is most of you), ensure your From domain is one you own and control, and that your header information is accurate.

Note on GDPR: If you sell to EU customers or collect email addresses from EU residents, GDPR applies regardless of where your company is based. GDPR requirements are significantly stricter than CAN-SPAM — it requires opt-in consent, detailed privacy notices, and specific data handling practices. If you have any EU exposure, consult legal counsel for GDPR compliance separately.

Your CAN-SPAM Compliance Checklist

Run through this for every email template in your program:

  • From name clearly identifies your brand
  • From email address is on your authenticated domain
  • Subject line is not deceptive about the email’s content
  • Physical business address is visible in the email footer
  • Unsubscribe link is present and functional
  • Unsubscribe mechanism requires only email address (no barriers)
  • Unsubscribes are processed within 10 business days (Klaviyo automates this)
  • No previously unsubscribed contacts are being re-added to active lists
  • Any transactional emails (order confirmations) keep promotional content secondary

For technical compliance:

  • SPF record configured for your sending domain
  • DKIM configured (custom sending domain in Klaviyo)
  • DMARC policy in place (check via MXToolbox)
  • Google Postmaster Tools configured and spam rate monitored
  • List-Unsubscribe header enabled (Klaviyo auto-applies for qualifying accounts)

CAN-SPAM compliance is the floor, not the ceiling. Meeting these requirements protects you legally and maintains basic deliverability. But the brands that treat compliance as the starting point — and then invest in deliverability best practices, list hygiene, and sending reputation — are the ones that consistently reach the inbox.

Stop leaving email revenue on the table. Get a free email audit from Excelohunt →

Tags: email-marketingusacan-spamcompliancedeliverability

Want Us to Implement This for Your Brand?

Get a free email audit and see exactly where you're losing revenue.

Get Your Free Audit

Related Articles

A/B Testing Email Design and Content: What to Test and What to Ignore
Strategy

A/B Testing Email Design and Content: What to Test and What to Ignore

A/B Testing Email Subject Lines: A Systematic Approach to Higher Open Rates
Strategy

A/B Testing Email Subject Lines: A Systematic Approach to Higher Open Rates

Email A/B Testing and Statistical Significance: When Your Results Are Real
Strategy

Email A/B Testing and Statistical Significance: When Your Results Are Real

1