CAN-SPAM Compliance for Cold Email in 2026: Full Checklist
CAN-SPAM compliance for cold email is one of the most misunderstood parts of B2B outbound. Half the cold emails that hit US inboxes today are non-compliant, and almost nobody is enforcing the law against B2B senders, but the rules are real and the penalties are non-trivial when they do get enforced. The other half of senders over-comply, adding warnings and disclaimers and physical addresses to every email, which then tanks reply rates because the email reads like a marketing newsletter instead of a peer-to-peer note.
The right answer is in between. CAN-SPAM has clear, specific requirements. Meet them. Beyond the requirements, do not bolt on extra "compliance theater" that hurts your outbound. This guide is what actually works in 2026: the law, the practical checklist, the myths that keep coming up, and the operational decisions that keep you compliant without making your cold email read like a marketing campaign.
What CAN-SPAM Actually Requires
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing Act) was passed in 2003 and is enforced by the US Federal Trade Commission. It applies to all commercial email, including business-to-business cold email sent to US recipients.
The law has five requirements that every commercial email must meet:
1. Accurate header information. The "From," "To," "Reply-To," and routing information (sender domain, message ID, etc.) must accurately identify the sender. You cannot use a fake name, a fake company, or a domain that misrepresents who you are.
2. Accurate subject line. The subject line must accurately represent the content of the email. You cannot bait-and-switch ("Re: our conversation last week" when there was no conversation, or "Your invoice attached" when there is no invoice).
3. Identification as commercial. The email must be identifiable as a commercial message. This is satisfied implicitly when the email is clearly a sales pitch. You do not need to add an explicit "ADVERTISEMENT" tag to satisfy this.
4. Valid physical postal address. The email must include the sender's valid physical postal address (street address, PO box, or commercial mail receiving agency address). A virtual office address is acceptable as long as it is real and reachable.
5. Working unsubscribe mechanism honored within 10 business days. The email must include a clear opt-out mechanism. Reply-based unsubscribe ("reply with 'unsubscribe' to opt out") is acceptable. A clickable link is acceptable. Once a recipient opts out, you must stop sending within 10 business days, and the opt-out must remain valid indefinitely.
That is the full requirement set. Everything beyond it is optional.
What CAN-SPAM Does Not Require
There are several things that are commonly assumed to be required and are not:
Prior consent. Unlike GDPR, CAN-SPAM does not require recipient consent before sending. Cold email to US recipients is legal.
Opt-in confirmation. No double opt-in is required for commercial email under CAN-SPAM.
A "you are receiving this because" disclaimer. This is a GDPR-style requirement, not a CAN-SPAM one.
An "ADVERTISEMENT" subject line tag. Not required.
A formal unsubscribe page. Reply-based opt-out is acceptable.
Removing the recipient from a "list" they were not on. If the recipient is in your CRM or ICP database but not on a "list" per se, there is no requirement to remove them from a list. The opt-out applies to email contact going forward.
Most "compliance theater" copy in cold email is over-correction for these non-requirements. A real CAN-SPAM-compliant cold email can read like a peer-to-peer note. It does not have to read like a marketing newsletter.
The Practical CAN-SPAM Checklist
The minimum viable compliance setup for a CAN-SPAM-compliant cold email:
Header accuracy. Use a real From name, real reply-to, and a sending domain that accurately reflects your company. Do not spoof.
Subject line. Make it accurate to the email content. No bait-and-switch.
Body content. No deceptive claims. No fake "Re:" or "Fwd:" prefixes when there was no prior thread. No fake invoice or order references.
Postal address. In the email footer or signature block, include your company's valid physical postal address.
Unsubscribe mechanism. One of: - A clear "reply 'unsubscribe' to opt out" line at the bottom of the email. - A clickable link to a working opt-out page. - A "to stop hearing from me, just reply 'no thanks'" line in the body.
Opt-out honoring system. When a recipient opts out, your sending system must: - Process the opt-out within 10 business days. - Suppress the email address across all your sending lists indefinitely. - Not transfer or sell the address to a third party for further mailing.
That is the full checklist. If your sending tool (Smartlead, Instantly, lemlist, Apollo, others) is configured correctly, most of this is handled automatically. The two manual checks: postal address in footer and opt-out language in copy.
CAN-SPAM Penalties And Enforcement
The penalty for a CAN-SPAM violation is up to $51,744 per email in 2026 dollars (adjusted annually for inflation). Each non-compliant email is a separate violation.
Enforcement against B2B cold senders is rare but not zero. The FTC has historically focused enforcement on:
- Affiliate marketers using spoofed sender info at large scale - Phishing and fraud-adjacent senders - Companies sending mass unsolicited commercial email to consumer addresses - Companies that ignore opt-outs systematically
The FTC has occasionally enforced against B2B senders for clear violations (mass spoofing, ignored opt-outs), but it is uncommon. State attorneys general can also enforce CAN-SPAM, and some states (notably California) have stricter add-on laws.
The practical risk for a typical B2B cold sender meeting the basic checklist is low. The risk for a sender ignoring the requirements at scale is real, especially if a state AG decides to make an example.
Common CAN-SPAM Myths
"B2B email is exempt from CAN-SPAM." False. CAN-SPAM applies to all commercial email, including B2B.
"You need explicit opt-in to send cold email." False. CAN-SPAM does not require prior consent. (GDPR does for EU recipients, see below.)
"You have to include 'ADVERTISEMENT' in the subject line." False. The law requires identification as commercial, but this is satisfied implicitly when the email is clearly a sales pitch.
"A reply-based unsubscribe is not compliant." False. Reply-based unsubscribe is explicitly acceptable under CAN-SPAM.
"You have to honor opt-outs immediately." False. The law gives 10 business days. In practice, automated systems should honor immediately, but the legal requirement is 10 business days.
"Once someone opts out, you can never email them again." True for the same purpose, but a transactional email (e.g., responding to an inbound inquiry) is not subject to CAN-SPAM and is allowed.
"You need a privacy policy link in every email." Not under CAN-SPAM. Some other regulations may require it.
International Compliance: Beyond CAN-SPAM
CAN-SPAM only governs email to US recipients. If your outbound includes international recipients, you must comply with their local laws.
GDPR (EU and UK). Requires a legitimate-interest legal basis for B2B cold email, which is typically defensible if the recipient's role is genuinely relevant to your offer and the outreach is professional. You must include opt-out, identify yourself, and honor data subject access requests.
CASL (Canada). One of the strictest. Requires either express or implied consent. Implied consent applies for 6 months after a published business email address relevant to your offer (very narrow). For most cold email to Canadian recipients, you need a defensible implied-consent argument or you should not send.
Australian SPAM Act. Similar to CAN-SPAM with stricter consent requirements. Implied consent is acceptable for B2B in most cases.
EU ePrivacy Directive. Layered on top of GDPR. Adds direct marketing rules. Most compliant CAN-SPAM emails are also compliant here, but the GDPR legitimate-interest analysis is still required.
The practical setup for international outbound: maintain separate suppression lists by region, configure your sending tool to apply region-specific opt-out language, and consult counsel for any market with serious enforcement risk.
Compliance In The Outbound Stack
For a typical B2B outbound stack, compliance is configured at several layers:
- Sending tool layer. The tool (Smartlead, Instantly, lemlist) handles the unsubscribe processing, suppression list maintenance, and bounce handling. Configure the postal address and opt-out language at the template level. - CRM layer. Salesforce or HubSpot maintains the master suppression list. Replies and opt-outs flow into the CRM and prevent re-contact. - List provider layer. Apollo, ZoomInfo, Cognism, and other data providers honor opt-out flags at the data level. Their compliance flags should sync into your CRM. - Manual review layer. A human reviews flagged replies (especially "remove me" or "stop emailing me" replies that may not match your tool's automated keyword detection) and processes the opt-out.
Most sending tools handle the automated part well. The manual review is where teams sometimes miss opt-outs. We typically review the inbox replies daily for any opt-out language that did not auto-process.
A CAN-SPAM-Compliant Cold Email Footer
The simplest compliant footer:
``` [Your name] [Your title] [Company name] [Company physical address]
To stop hearing from me, just reply "no thanks" and I will remove you. ```
Or with a clickable opt-out:
``` [Your name] [Your title] [Company name] [Company physical address]
If you would prefer not to receive emails from me, [click here to unsubscribe]. ```
That is the full compliant footer. No long disclaimer, no privacy policy link, no "you are receiving this because" disclosure. Reads like a normal email signature, not a marketing footer.
Ready To Run Cold Email That Is Compliant And Effective?
CAN-SPAM compliance is a baseline requirement. The bigger question is whether your outbound system is built to be compliant by default and reach the inbox at the same time. We build outbound systems that are compliant, deliverability-safe, and effective. The compliance posture is wired into the templates, the sending tool, the CRM suppression list, and the reply handling.
We design the sequences, build the infrastructure, run the campaigns, and handle the compliance and deliverability layers. See our case studies for how this looks in practice.
This article is general information, not legal advice. For specific compliance questions, consult counsel licensed in your jurisdiction.
Frequently Asked Questions
A strong positive reply rate for B2B cold email is 1.5–3%. Top-performing campaigns with tight targeting and personalized copy can hit 4–5%. If you're below 1%, it usually signals a deliverability or messaging problem — not a volume problem.
The safe range is 30–50 emails per inbox per day for warmed inboxes. That's why outbound systems use multiple inboxes (we use 80) — to reach 40,000+ monthly sends while keeping each inbox well within safe limits. Sending more than 50/day from a single inbox risks spam folder placement.
Yes. The CAN-SPAM Act permits unsolicited commercial email as long as you include a physical address, an unsubscribe mechanism, accurate headers, and non-deceptive subject lines. Unlike GDPR in Europe, the US does not require prior opt-in consent for B2B cold outreach.
Domain warm-up typically takes 2–3 weeks. During this period, sending volume gradually increases while the email warm-up tool generates positive engagement signals (opens, replies) to build sender reputation. Skipping or rushing warm-up is the most common cause of deliverability problems.
Cold email is targeted, relevant outreach to a specific person based on their role, industry, or company — with a clear business reason. Spam is untargeted mass messaging with no personalization or relevance. The distinction matters legally (CAN-SPAM compliance) and practically (deliverability depends on relevance signals).
Dimitar Petkov
Co-Founder of LeadHaste. Builds outbound systems that compound. 4x founder, Smartlead Certified Partner, Clay Solutions Partner.
