A Quick Refresher of CAN-SPAM Rules for Email Marketing and Newsletters

Small Business Development Centers provide free adviceIf you cast your mind back to 2003, possibly you’ll remember that one of the grand issues of the day was unsolicited commercial email, otherwise known as spam.

That was a long time ago, back when John McCain was still a maverick and nobody had ever heard of Sarah Palin or Barack Obama.

Back then, McCain chaired the Senate Commerce Committee and knew a few things about the Internet. He was one of its staunchest champions and the CAN-SPAM Act of 2003 was his baby.

Yes, that’s right. We have John McCain to thank for CAN-SPAM.

The bill was a peculiar piece of legislation. Originally, of course, the idea was to get rid of unsolicited commercial email. But the Direct Marketers Association —  composed of some pretty heavy-weight brands like Microsoft, Amazon.com and Wal-Mart — argued that they needed to be able to send spam, too.

They didn’t quite phrase it that way, of course.

So, in the end, Congressional attempts to ride herd on innapropriate ads was watered down to a regulatory regime in which the ability (some would say the “right”) of so- called “legitimate” marketers to send as much spam as they wanted, as long as they obeyed the rules.

By now, you may be wondering what any of this has to do with you. Well, here’s the thing: even if you are not a spammer, if you use email for marketing or if you publish a newsletter that is delivered by email, then you still need to make sure that you are CAN-SPAM compliant.

Each individual violation of CAN-SPAM regulations is subject to fines of $16,000, which (a) is a lot of money that (b) adds up fast. There are additional penalties, including possible criminal charges, for the truly slimy  stuff like email harvesting, using malware to send by open proxy (or otherwise controlling people’s machines to send spam without their permission).

Fortunately, CAN-SPAM compliance is fairly easy to come by. In fact, you are probably doing quite a lot of this stuff already and what you are not doing can be easily implemented.

Your mailings are CAN-SPAM compliant if:

  1. the subject line is not misleading and advertisements are clearly labeled as such;
  2. the email headers, sending email address and other identifiers in
    the headers have not been tampered with in order to conceal your
  3. the body of the email contains a valid physical address for
    the sender; and
  4. the email contains a functioning opt-out mechanism, and opt out
    requests are honored within 10 business days of receipt of that

The point of the rules is to keep us from misleading people, to ensure that we are easy to find if someone has a problem or just needs to find us, and to make it easy for people to escape from our clutches whenever
they want to.

One of the aspects of the rule-making process with respect to this legislation was watching the Federal Trade Commission (FTC) realize that there were more types and uses for email than simply commercial and
non-commercial messages.

Of particular interest to small and microbusinesses is, of course, newsletters.

Would email newsletters be considered transactional or relationship messages? Or both? Or neither? What about newsletters containing third-party advertisements? What about newsletters containing in-house advertisements, or affiliate links? As FTC staff wrestled with the various uses of bulk email, many more complexities emerged than I’m sure anybody either on Capitol Hill or at the agency anticipated.

To be honest, it is much easier to simply arrange your newsletters to comply with the CAN-SPAM regulations than it would be to wade through those regulations to figure out whether your newsletter has to comply or not. The odds are that you are already doing most, if not all, of what is required and there is no real need to give yourself a headache, too.

As for email marketers, the requirements are pretty clear. You need to keep your operations transparent and ethical, keep yourself easily identifiable and able to be contacted if necessary, and keep an eye on your affiliate program participants to make sure they aren’t spamming on your behalf. It is not really a matter of the CAN-SPAM Act to make you responsible for your affiliates but there is judicial precedence for it.

Besides, it’s just a smart thing to do. You don’t need other people creating a reputation for you as a spammer, do you?

* * * * *

About the Author: Dawn Rivers Baker, an award-winning small business journalist, regularly reports and analyzes small business policy and research as the Publisher of the MicroEnterprise Journal, where the nation’s business meets microbusiness. She also publishes the Journal Blog.


Dawn R. Rivers Dawn R. Rivers, an award-winning small business journalist, regularly reports and analyzes small business policy and research as the publisher of the MicroEnterprise Journal. She also publishes research at the Microbusiness Research Institute and she blogs at The MicroEnterprise Journal Blog.

37 Reactions
  1. Martin Lindeskog

    So many rules, so little time… 😉 Is it not common to enough an opt-out link in your email newsletters?

    As a funny side note: I have heard that spam is very popular in Hawaii? Is that true?

  2. Dawn,

    So many rules, so little time. Is it not common to have an opt-out link in your email newsletters?

    As a funny side note: I have heard that spam is very popular in Hawaii? Is that true? I want to go to Hawaii and drink Kona coffee! 🙂

  3. A lot of small business owners are so scared of violating CAN-SPAM they just don’t do email marketing. Thanks for taking the complexity out and pointing out the 4 steps needed for compliance.

    What platform would you recommend to a small business just getting started with their email marketing? Aweber? MailChimp?

  4. Dawn Rivers Baker


    It’s pretty much universal to have an opt-out link in your newsletters, unless you really are a spammer. Every sort of list software I know about comes with it automatically. Oh, and that’s a hoot about Hawaii! I have no idea if it’s true.


    I guess it depends on how much money they have at their disposal and whether they are interested in hosted services or D-I-Y. I have found both DadaMail and PHPlist to be various degrees of useful, PHPlist gets you better tracking stats but is also less intuitive to use. For hosted apps, I personally have no experience of them but have heard good things about both Constant Contact and AWeber.

  5. Dawn,

    Yes, that is what I have experienced with the mailing list / CRM system that I have used so far.

    Regarding spam in Hawaii, check out “spam jam hawaii DOT com”. From the site:

    “Each place in the world seems to have its signature food festival. You may have heard about tomatoes, ribs, onions or pumpkins, but you have never seen anything like this, a SPAM

  6. Thank you so much for this timely reminder. We are constantly helping clients to get and stay CAN-SPAM compliant, so the more information out there about how to do it, the better.

  7. Great lesson on the rules surrounding this major issue. It always good to get a refresher on the guidelines of good email etiquette.

  8. This was quite the refresher course on spam and very eye-opening for me. The 4 compliancy rules you listed were very useful as I was not aware of them previously so thanks for such an educational article.

  9. Thanks for the info on spamming and e-mail marketing. If e-mail marketing is a choice of yours, you definitely want to confirm that before you spend the money, your marketing campaign will be completed and not viewed as spam.

  10. Oh My Dawn,

    I don’t know we have this in PH and honestly I didn’t hear anything about this Can Spam only until I read your post. Thanks for pointing that out to us. Will check if we also have this kind of regulation.

  11. RedHotFranchises

    I would recommend aweber. Its $20 a month, you can create unlimited email lists, you can set up unlimited auto responders, and set everything on auto and its click of a button easy.

    They have a spam control generator which shows your a color coded spam setting of each email you send out, you simply have to tweak things that get labeled as spam before you send it out, surely worth the monthly fee.

  12. Jeff Machado | Internet Marketing For Coaches

    @Robert Brady I’ve had such a great experience with Aweber that takes all the guesswork out of this. MailChimp is good except it doesn’t allow you to set up autoresponders where emails are sent out at determined periods. It only allows you to send broadcasts.

    I do a lot of work with e-courses for myself and my clients, where people come on your subscriber list at different times yet they all need to go through the same sequence. MailChimp can’t do this. But if you’re just wanting to send a monthly newsletter, then MailChimp is perfect (and very affordable)

  13. Hi Dawn
    Thanks for taking the fear factor out of email marketing. CAN-SPAM compliance is not to be taken lightly, but you made it all clear. Thanks.

    I’ve used aWeber and been thrilled with their service. I’ve also used the PHPlist and a couple of other open source programs, but I liked the ease of aWeber. What I didn’t like was that I had to re-connect with every customer in my dbase if I wanted to start a new list there. They have to verify (as do most of the email marketing companies) that your list is in compliance or they get into trouble. So switching from your own list to a SaaS/hosted provider can be a hassle. It also gives you the opportunity to clean up your list and see who is really still a customer or prospect.

    There is a lot of email noise out there and lots of filters and protections the biz owner and consumer can use to keep you out. Being genuine and writing real subject lines is what I’ve found works the best.

  14. Thanks Dawn. I didn’t realize you needed a physical address (I do have my phone number and email contact on my newsletter) – I’ll update immediately!

  15. I really like the way you have made such a seemingly-complex issue into an easily-understandable one. Our company has always used a program that helps with our newsletters, but I’ll make certain it’s 100% compliant!



  16. Great refresher, forwarded it to our virtual assistants as a reminder also. Thank you for posting!

  17. @Robert Brady: Small businesses in America are scared of violating CAN-SPAM. This does not apply to small businesses outside your country.

    In fact, when people write or talk online, they tend to generalise or forget that this thing is called World wide web, and not United States web. It would make better sense to just make it clear that you’re talking about businesses in the US.

  18. @Helen Hunt

    Guilty as charged, I should specify that CAN-SPAM is more focused on the US. However, regardless of where you are located or where your customers are located, nobody likes getting unwanted emails. Allowing customers to opt out of further communication is just a good practice.

  19. We’re just about to begin sending monthly newsletters. The timing on this article is perfect. I would hate to shut down Scan Monkeys because of fines that we didn’t even know could be imposed upon us.

    I wonder why unsolicited emails cause such an issue, especially when you can “cold call” companies without a problem (other than people hanging up on you).

    Great article!

  20. Speaking of CAN-SPAM, alei regulating the sending of email in USA and Europe virtually Paracas ROLE IN REAL AND WHAT IS THERE, BUT, THERE IS ONLY FOR MICROSOFT, GGOGLE, YAHOO AND OTHER GREAT THAT PROMOTE THE SAME.

    Unfortunately the small can not enforce the law in their favor.

    CAN-SPAM is very good, even with its regulations in 2008.

    Why this law is not respected by service providers for hosting sites?

    Why not allow me to send emails if I am obeying the law?

    Why am I punished with blocks as if sending PRONOGRAFIA?


  21. Dawn Rivers Baker


    The CAN-SPAM Act does not create any obligation for web hosting companies or email service providers to forward your messages if they are compliant with the law. In fact, they are not required to do business with you at all if they have reason to believe that you are engaged in activities that will create liabilities for them.

    At the same time, CAN-SPAM compliant spam is still spam. If your emails are legal but still generate complaints or get labeled as spam, then your service provider is perfectly within their rights to shut you down.

    On the other hand, there is one simple and inexpensive way for small business owners to help get their email messages (single and bulk) past the anti-spam trips and blocks put into place by many ISPs and ESPs: publish a Sender Policy Framework (SPF) record to your Domain Name System (DNS) file. Without getting excessively technical, a SPF record tells querying machines checking the origin of an incoming email message who the sender is and that the sender is who they claim to be in the email headers.

    You can find a lot more information about SPF records, how they work, how to publish them to a DNS file, and even a handy wizard for creating one at the Sender Policy Framework Project web site.

    Hope this helps.

  22. Dawn Rivers Baker

    Hi Brian.

    “I wonder why unsolicited emails cause such an issue, especially when you can “cold call” companies without a problem (other than people hanging up on you).”

    That’s because it costs people and businesses money to download email, particularly earlier in the century when dial up access was more common than it is now. When you cold call a company, the expense is borne by the caller and costs the callee nothing but their time.

    Besides, some of the ways in which spammers acquire email addresses are pretty unsavory, which adds to the negative perception.

  23. Still saying that a law such as CAN-SPAM in 2003, even with all the updates, was never and is not respected by any provider or data center, especially in the land of origin of the law and say to me that the law does not require to respect, is head of whom also do not want to respect it, in fact, U.S. law only to serve those who are from outside the USA, since. those who have their services in the country of origin of the law, send SPAM to the world and are not prevented.

    And I say that the CAN-SPAM Act does not need interpretation and it is very clear and that was to be respected. even for large systems and data centers Americans. Indeed, none law is respected in the USA. It is no man’s land.

  24. Excellent article.

    I use Constant Contact for my email campaigns and they are very specific about having all the aforementioned components in their templates so that you are in compliance with the rules. The exception being the Subject Line, which would be almost impossible for them to monitor automatically.

    One thing with CC though, you’ll be notified if someone reports your email as SPAM, but won’t tell you who. Now I send REALTORS images of homes I have photographed on behalf of Agent-clients and send those out so area REALTORS know what is available for Buyers. While I have had a very, very low SPAM report ratio, who is to say that the person reporting SPAM doesn’t know that the email in fact is a legitimate service provided by one Agent to the others based on the rules? Who is to say there isn’t some other agenda behind the SPAM report?

    I am sure Constant Contact reviews the SPAM reports and would notify me if I was not in compliance, but they haven’t contacted me so I don’t worry about it.


  25. Dawn Rivers Baker

    I don’t know if you remember this, Andrew, but it used to happen fairly often that online small businesses were getting unfairly crucified because anybody could report their emails as spam and the attitude was definitely ‘guilty until proven innocent.’

    The report could come from your mother-in-law or a disgruntled ex-employee or even an ex-girlfriend with an axe to grind. They were all accepted without question and the small businesses involved didn’t have to pay fines but their reputations would end up in shreds and they’d find their emails blocked for no apparent reason.

    People seem a lot calmer about spam these days, probably because the anti-spam types stopped trying to figure out how to keep the spammers from spamming and turned their attention to improving the spam filters to put people back in charge of their inboxes. The spammers don’t seem to care; presumably, they get paid for sending the emails, not ensuring that somebody actually reads them. Thus it doesn’t seem to be the issue it once was.

  26. A lot of small business owners are so scared of violating CAN-SPAM they just don’t do email marketing. Thanks for taking the complexity out and pointing out the 4 steps needed for compliance.

    I wonder why unsolicited emails cause such an issue, especially when you can “cold call” companies without a problem (other than people hanging up on you).

    Nice Post though…

  27. Does CANSPAM apply to emails that are NOT opt-in?

    Of course, these rules are commmon sense, but I get emails from DELL and AMAZON and they do not have their corporate address in the email.

  28. Theres something exciting about remaining mysterious for a writer.