Cold email remains one of the most powerful B2B lead generation channels, if you do it legally. The CAN-SPAM Act sets the rules for commercial emails in the United States, and the penalties for violations aren't just theoretical. We're talking over $53,000 per email, plus deliverability damage that can destroy your sending infrastructure.
What most guides won't tell you: CAN-SPAM compliance isn't just about avoiding lawsuits. It's about building sustainable email infrastructure that actually reaches inboxes.
This guide breaks down every requirement you need to follow, the real enforcement examples that matter, and the operational systems that scale cold email beyond the legal baseline.
Is Cold Email Legal Without Permission?
Cold email is completely legal in the United States under CAN-SPAM. The law operates on an opt-out model, meaning you can email prospects without prior consent as long as you follow specific requirements.
What catches people off guard:
CAN-SPAM applies to ALL commercial email, not just bulk sending. The Federal Trade Commission explicitly states there's no exception for B2B emails. If you're promoting a product or service (yours or a client's), the law applies.
What Emails Count as Commercial vs Transactional?
CAN-SPAM distinguishes between:
• Commercial content: Promotes or advertises products/services (most cold emails)
• Transactional/relationship content: Confirms or facilitates an existing transaction (receipts, account updates, shipping notifications)
• Other content: Neither commercial nor transactional
Your first-touch outbound email is almost always commercial. Later in a sequence, you might send messages that blur lines (confirming your meeting request), but unless it's purely transactional content the recipient requested, treat it as commercial and include full compliance elements.
Rule of thumb: When you're not 100% sure it's transactional-only, include all CAN-SPAM requirements.
8 CAN-SPAM Requirements Every Cold Email Needs
Here's exactly what every cold email must include:
1. How to Use Accurate Sender Information
Your "From" name, email address, and reply-to information must accurately identify you or your business. You can't impersonate someone else or obscure your identity in the header information.
In practice:
Use a legitimate email address on your company domain with a sender name that clearly reflects your organization. "Jane Smith, Outbound System" works. A fake name or misleading alias violates the law.
2. What Makes a Subject Line Deceptive?
Your subject line must accurately represent the email content. Legal prohibitions include:
Forbidden tactics:
→ Using "Re:" or "Fwd:" to pretend it's part of an ongoing conversation when it isn't
→ Fake invoice numbers or urgent account warnings
→ Subject promising something the email doesn't deliver
→ "Did I leave my jacket at your place?" style deception
Research shows these tactics destroy email deliverability even when you avoid legal trouble. Mailbox providers flag fake reply formatting as deceptive behavior.
3. How to Disclose Your Email is an Ad
You must disclose clearly and conspicuously that your email is an advertisement or solicitation. The law gives flexibility in how you do this.
What works in real B2B cold email:
You don't need "[ADV]" in all caps. You do need clear commercial intent.
Examples that satisfy the requirement:
"This is a sales outreach email from [Company]."
"I'm reaching out to see if [Company] can help with [outcome]."
"If you'd rather not receive outreach like this, you can unsubscribe below."
4. What Physical Address to Include in Emails
Every commercial email must include your current physical mailing address. This can be:
• Current street address
• USPS-registered PO box
• Properly registered private mailbox from a commercial mail service
If you're working from home and don't want to list your residence, get a PO box or mailbox service and use that consistently. Whatever address you use must stay current.
Typically placed in the footer, small font, but still clear and legible.
5. How to Create a Valid Unsubscribe Link
Your email must include a working way to opt out. The FTC requires it to be easy for ordinary people to recognize and use.
You cannot:
Force logins or multi-step processes
Require navigation through confusing pages
Charge fees for opting out
A one-click unsubscribe link or simple reply with "Unsubscribe" both work. Google and Yahoo now expect one-click opt-out, and emails without easy unsubscribe options get pushed to spam automatically.
Make it prominent: "If you don't wish to hear from us, [unsubscribe here]" or "Click here to opt out of these emails."
6. How Long Must Unsubscribe Links Work?
The statute requires the opt-out mechanism to remain functional for at least 30 days after sending. Even if someone waits weeks to click "unsubscribe," it must still work.
7. How Fast to Process Unsubscribe Requests
You must honor unsubscribe requests within 10 business days. Best practice? Do it immediately, ideally in real-time.
Once someone opts out, you cannot email them again (except to confirm they've been unsubscribed, which isn't necessary). Make sure your email software or process immediately flags and removes opted-out contacts across all campaigns.
Critical warning: The FTC's record $2.95M CAN-SPAM fine against Verkada Inc. was largely because the company ignored unsubscribe requests and kept sending emails. This isn't theoretical risk.
8. Can You Sell Unsubscribed Email Addresses?
When someone opts out, you cannot sell, share, or rent their email address. The only exception: passing addresses to an outsourced compliance provider for suppression purposes.
Treat your opt-out list as sacred. It's a "do not contact" list, not a marketing asset.
How to Handle Unsubscribes Across Multiple Inboxes
Where things get operationally complex:
If your outreach runs across multiple inboxes or domains (standard practice for email deliverability), you must ensure opted-out recipients are suppressed across your entire sending operation.
The violation pattern:
Someone unsubscribes from Email #1 sent from inbox-a@yourdomain.com. Three days later, you hit them from inbox-b@yourdomain.com with Email #2. You just created a compliance problem, even though they're different inboxes.
How Outbound System Solves This
Our infrastructure uses 350 to 700 Microsoft U.S. IP inboxes depending on the tier, distributing volume across many sending sources. How we handle compliance at scale:
Central suppression list architecture:
Component | Function |
|---|---|
Single source of truth | One suppression list per client brand |
Multi-channel capture | Captures opt-outs from link clicks, email replies, and manual requests |
System-wide propagation | Applies suppression across all inboxes, domains, and campaigns |
Real-time processing | Honors opt-outs immediately (not within 10 days) |
Audit trails | Records when opt-out received, when suppression took effect, confirmation it propagated |
This isn't optional infrastructure. It's how you run compliant multi-inbox operations without creating legal exposure.
Who is Liable for CAN-SPAM Violations?
If you outsource cold email (or run it for clients), both the promoted company and the sending company may be liable under CAN-SPAM.
The FTC explicitly states: "Both the company whose product is promoted and the company that actually sends the message may be held legally responsible."
What this means operationally:
→ If you hire a cold email agency, you still own legal responsibility
→ If you're an agency, you can't hide behind "just following client instructions"
→ Contracts don't eliminate liability
At Outbound System, we handle technical compliance as part of our infrastructure, minimizing risk for clients. But everyone in the chain must understand: compliance is shared responsibility.
What Are the Real Penalties for CAN-SPAM Violations?
Let's look at actual enforcement actions:
Verkada Inc. (Security Camera Firm) – August 2024
Penalty: $2.95 million (largest CAN-SPAM fine ever obtained by the FTC)
Violations:
• Failed to include unsubscribe/opt-out option
• Failed to honor opt-out requests
• Failed to include valid physical postal address
The FTC press release described promotional emails sent without clear opt-out mechanisms, and when recipients manually requested removal, Verkada kept emailing them anyway.
Experian – August 2023
Penalty: $650,000
Violation: Sent marketing emails without providing proper opt-out mechanism as required under CAN-SPAM
The FTC settlement specifically addressed failure to give consumers a way to unsubscribe from marketing emails.
These aren't shady spammers. They're mainstream companies that got compliance wrong.
What Are Gmail and Outlook Email Requirements?
CAN-SPAM is the legal floor. Mailbox providers set additional requirements that determine whether you actually reach inboxes.
Gmail Requirements (Enforcement Ramped Up November 2025)
Google's email sender guidelines require:
All senders to @gmail.com:
• SPF or DKIM authentication
• TLS connection (recommended/required)
• Follow RFC formatting standards
Bulk senders (5,000+ messages/day to Gmail):
• SPF + DKIM + DMARC (policy can be p=none)
• Marketing messages must support one-click unsubscribe
• List-Unsubscribe headers + visible unsubscribe link
Critical update: Gmail's FAQ states that starting November 2025, Gmail began "ramping up enforcement on non-compliant traffic," including temporary and permanent rejections for messages failing sender requirements.
Once you hit the 5,000/day threshold even once, you're permanently considered a bulk sender.
Outlook.com Requirements (Enforcement Started May 2025)
Microsoft announced requirements for domains sending more than 5,000 emails/day to Outlook.com consumer domains (hotmail.com, live.com, outlook.com):
• Mandatory SPF, DKIM, and DMARC
• Enforcement started May 2025
Why This Matters for Cold Email Systems
If you scale outbound, mailbox providers increasingly expect:
Infrastructure requirements:
Authenticated identity (SPF/DKIM/DMARC alignment)
Functional unsubscribe mechanisms
List hygiene and low complaint rates
These aren't "optional deliverability hacks." They're baseline expectations that determine whether your emails get delivered at all.
Does CAN-SPAM Preempt State Email Laws?
CAN-SPAM preempts many state email laws, but there's a carve-out: states can still enforce laws addressing falsity or deception in commercial email.
California Anti-Spam Class Actions
California Business & Professions Code § 17529.5 is frequently cited as allowing statutory damages (commonly $1,000 per email) in lawsuits alleging deceptive commercial email practices.
Legal commentary noted a "new wave" of California anti-spam class actions targeting allegedly misleading commercial emails.
Practical takeaway: Avoid "clever" subject lines, fake reply formatting, and any ambiguity about who you are. These trigger both legal and deliverability problems.
CAN-SPAM Compliant Email Templates
Minimal CAN-SPAM Footer
Ad Disclosure Language (Pick One)
"This is a sales outreach email from [Company]."
"I'm reaching out to see if [Company] can help [their company] with [outcome]."
"If this isn't relevant, feel free to unsubscribe below."
How to Set Up Unsubscribe Process for Multi-Inbox Systems
Goal: Make opt-out instant across your entire system (not just compliant within 10 business days).
Step 1: Central Suppression List (Source of Truth)
One suppression list per sender brand containing:
• Email address
• Date/time of opt-out
• Source (link click, reply, manual request)
• Campaign/inbox metadata
Step 2: Capture Opt-Outs From Three Channels
① Unsubscribe link (preferred)
② Reply-based opt-outs ("unsubscribe", "stop", "remove")
③ Manual requests (forwarded emails, support tickets)
Step 3: Propagate Suppression to Every Outbound Source
Apply to:
→ All inboxes
→ All domains/subdomains
→ All sending tools
→ All enrichment/list-building pipelines
Step 4: Honor Fast (Deliverability Standard)
Requirement | Timeframe |
|---|---|
CAN-SPAM legal requirement | Within 10 business days |
Gmail deliverability recommendation | Within 48 hours |
Best practice (reduces spam complaints) | Immediate/real-time |
Step 5: Monthly Compliance Audit
Random sample 50 sent emails:
Verify address present, opt-out works, subject isn't deceptive, sender identity is accurate
Random sample 50 opted-out emails:
Verify suppression effective across all sending sources
How Does CAN-SPAM Compare to GDPR and CASL?
CAN-SPAM covers the United States. If you're emailing people in other countries, additional regulations apply:
European Union: GDPR and ePrivacy
GDPR generally requires prior consent (opt-in) for marketing emails to individuals in Europe. A cold email campaign perfectly legal in the U.S. could violate GDPR in the EU if sent without consent.
Canada: CASL
Canada's anti-spam law requires consent or a pre-existing business relationship, plus specific content disclosures.
If you're reaching international prospects:
Don't assume CAN-SPAM compliance is enough. You may need to segment your list by region and apply different rules (or obtain consent) for certain countries. When in doubt, consult legal expertise for the markets you operate in.
How Outbound System Handles Compliance at Scale
Our platform manages compliance across 350-700 Microsoft U.S. IP inboxes with full technical infrastructure:
Compliance features built-in:
Feature | How It Works |
|---|---|
Triple-verified data minimizes bounces that damage sender reputation | |
Centralized suppression | Single opt-out list applies across all inboxes and domains |
One-click unsubscribe | Every email includes working unsubscribe link with real-time processing |
Physical address inclusion | Automatically added to footer of every campaign |
Multi-channel capture | Captures opt-outs from links, replies, and manual requests |
DMARC/SPF/DKIM | Full authentication configured on all sending domains |
Audit trails | Complete records of opt-out timing and suppression propagation |
This infrastructure handles the complex technical aspects of email compliance so clients can focus on results instead of regulatory risk.
Our performance metrics:
→ 98% inbox placement (vs. industry average of 60-70%)
→ 6-7% response rates across client base
→ 52M+ cold emails sent with zero CAN-SPAM violations
→ 127K+ leads generated, $26M in closed revenue
These numbers aren't achieved by cutting corners. They're the result of treating compliance as foundational infrastructure instead of an afterthought.
Book a 15-minute consultation to see how our compliance infrastructure scales cold email without legal risk.
Best Practices Beyond Legal Requirements
Meeting the bare minimum keeps you out of legal trouble. These practices improve results and reduce risk:
Make Unsubscribing Frictionless
Don't hide the opt-out link or use confusing language. A straightforward "Unsubscribe" or "Opt out here" works best.
Why it matters:
People are less likely to hit "Report Spam" if they have a clean way to opt out. Reducing spam complaints directly improves deliverability and sender reputation.
Use Professional Sender Identity
Send from consistent company email addresses that clearly include your brand name. This supports CAN-SPAM's accurate header requirement and helps recipients immediately recognize legitimate emails.
Example: john@yourcompany.com with sender name "YourCompany Sales Team" is far better than a random Gmail address.
Never Use Deceptive Tactics to Boost Opens
Tricks like fake urgency ("URGENT: Update Your Information" when it's a sales pitch) or false personal context will backfire.
Not only are these likely CAN-SPAM violations, they also erode trust and result in immediate deletions or spam reports once recipients realize the ruse.
Honesty and relevance are the pillars of successful cold emails.
Mind Your Sending Frequency and Targeting
While CAN-SPAM doesn't limit how many times you can email someone (until they opt out), flooding prospects with too many emails attracts complaints and regulatory attention.
Smart approach:
Keep follow-ups reasonable (a sequence of a few emails spaced over days or weeks, not dozens of messages in a short span). Target prospects who are likely to be interested in your offer.
Quality over quantity. A smaller list of well-researched prospects who fit your Ideal Customer Profile yields better results and fewer complaints than blasting thousands of random contacts.
Maintain a "Do Not Email" List
Keep a master list of all contacts who've unsubscribed or asked not to receive emails, and ensure no future campaign ever includes them.
Most email tools handle this automatically, but if you're using multiple systems, be very careful to update and honor your do-not-email list across all platforms.
Frequently Asked Questions About CAN-SPAM Cold Email
Is cold email illegal without prior consent?
No. Cold email is legal in the United States under CAN-SPAM without prior consent, as long as you follow all requirements (truthful headers, honest subjects, address, unsubscribe, honor opt-outs, etc.).
Do CAN-SPAM rules apply to B2B emails?
Yes. The FTC explicitly states CAN-SPAM "makes no exception for business-to-business email." All commercial emails must comply.
What happens if someone forwards my email and the recipient reports it as spam?
You're only responsible for the original recipient's opt-out. If someone forwards your email to others, those recipients aren't on your list. This highlights why clear sender identity and ad disclosure matter.
Can I charge a fee to process unsubscribe requests?
No. The law explicitly prohibits charging fees or requiring extra personal data beyond the email address to execute opt-out.
How long do I have to honor an unsubscribe request?
CAN-SPAM gives you 10 business days. Gmail's deliverability guidelines recommend 48 hours. Best practice is immediate/real-time processing to minimize complaints.
Do I need to include my home address if I work from home?
You need a valid physical postal address. If you don't want to list your home address, get a USPS-registered PO box or registered private mailbox from a commercial mail service.
What if I hire an agency to send emails for me?
You're still legally responsible. The FTC states both the promoted company and the sending company may be held liable. Choose partners who take compliance seriously.
Can I use "Re:" in my subject line?
Only if it's truly a reply to an existing conversation. Using "Re:" to pretend the email is part of an ongoing thread when it isn't violates the deceptive subject line prohibition.
Does CAN-SPAM apply to emails to my existing customers?
Yes, if the email content is commercial (promoting products/services). Purely transactional emails (receipts, shipping notifications, account updates) may be exempt from some requirements, but if you include any promotional content, treat it as commercial and include all compliance elements.
What about emails to .edu or .gov addresses?
CAN-SPAM applies to all commercial emails regardless of recipient domain. Educational and government email addresses receive the same protections.
Can I send one last email after someone unsubscribes?
Generally no. Once someone opts out, you cannot send them commercial emails. The only exception is a confirmation that they've been unsubscribed, which isn't necessary and often annoys recipients further.
How do I handle unsubscribes across multiple domains and inboxes?
You need a central suppression list that applies across your entire sending operation. When someone opts out from any inbox or domain, they must be suppressed across all your sending sources. This is critical for multi-inbox cold email systems.
What if my cold email tool doesn't support one-click unsubscribe?
You need to switch tools or add the capability. Gmail and Yahoo increasingly expect one-click unsubscribe, and emails without it are more likely to hit spam. Plus, it's becoming a deliverability requirement, not just a nice-to-have.
Can I buy email lists and send cold emails to them?
Legally under CAN-SPAM, yes (with full compliance). Practically? This is almost always a terrible idea. Purchased lists have poor data quality, high bounce rates, spam complaints, and deliverability damage. Build lists from legitimate research instead.
How does CAN-SPAM interact with GDPR for international emails?
They're separate laws. CAN-SPAM governs U.S. emails. GDPR governs emails to EU residents and generally requires opt-in consent for marketing emails. If you email internationally, you need to comply with regulations in each jurisdiction.
Conclusion: Compliance as Competitive Advantage
CAN-SPAM compliance isn't just about avoiding fines. It's about building sustainable cold email infrastructure that delivers results long-term.
The companies that treat compliance as foundational infrastructure see:
• Higher deliverability (emails actually reach inboxes)
• Better sender reputation (providers trust your infrastructure)
• Lower complaint rates (recipients feel in control)
• Sustainable growth (no sudden shutdowns or legal exposure)
When done right, cold email opens doors to valuable B2B relationships without annoying prospects or running afoul of regulators. By clearly identifying yourself, providing easy opt-out, and sending honest, relevant messages, you build credibility from the first touchpoint.
Remember: The goal of cold email is starting conversations and building relationships, not deceiving people into replying. Compliance and courtesy go hand in hand.
At Outbound System, we've sent 52M+ cold emails with zero CAN-SPAM violations while generating 127K+ leads and $26M in closed revenue for clients. Our infrastructure handles compliance at scale so you can focus on closing opportunities instead of managing regulatory risk.
Schedule a free 15-minute consultation to see how compliant cold email infrastructure drives real results.
CAN-SPAM isn't an obstacle to effective cold emailing. It's a framework that, when embraced, enhances your reputation and deliverability.
