CAN-SPAM Unsubscribe Requirements - What Senders Must Do and What You Can Do
Every commercial email you receive in the United States is governed by the CAN-SPAM Act. It is the law that requires senders to include an unsubscribe link, honor opt-out requests, and identify themselves. But most people do not know the specifics — what senders are actually required to do, what exemptions exist, and what you can do when they violate the rules.
This guide explains CAN-SPAM from both sides: what the law demands of senders, and what options you have as a recipient.
The 7 requirements of CAN-SPAM
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act) was signed into law in 2003 and is enforced by the Federal Trade Commission (FTC). It applies to any "commercial electronic mail message" — email whose primary purpose is advertising or promoting a product or service.
| # | Requirement | What it means |
|---|---|---|
| 1 | No false or misleading header information | The "From," "To," and "Reply-To" fields must accurately identify the sender. You cannot disguise who is sending the email. |
| 2 | No deceptive subject lines | The subject line must accurately reflect the content of the message. "Re: Your order" on a marketing email is a violation. |
| 3 | Identify the message as an ad | The email must include a clear indication that it is an advertisement or solicitation. The law gives senders flexibility in how to disclose this. |
| 4 | Include sender physical address | Every commercial email must include the sender''s valid physical postal address. This can be a street address, P.O. box, or registered commercial mail receiving agency address. |
| 5 | Tell recipients how to opt out | Every commercial email must include a clear, conspicuous way for recipients to opt out of future emails from that sender. |
| 6 | Honor opt-out requests promptly | Once a recipient opts out, the sender must stop sending within 10 business days. The opt-out mechanism must remain functional for at least 30 days after the email is sent. |
| 7 | Monitor third-party compliance | If you hire another company to handle your email marketing, you are still legally responsible for their compliance with CAN-SPAM. |
Violations can result in penalties of up to $50,120 per email (as of 2024 adjustment).
The unsubscribe requirement in detail
The opt-out mechanism is the most visible CAN-SPAM requirement for email recipients. Here is exactly what the law requires:
- The unsubscribe mechanism must be clear and conspicuous — not buried in tiny text or hidden behind complex navigation
- It must be functional for at least 30 days after the email is sent
- It can be an email-based opt-out (reply with "unsubscribe") or a link-based opt-out (click to unsubscribe)
- The opt-out process cannot require the recipient to log in, pay a fee, provide personal information beyond their email address, or take more than a single step beyond the initial click
- The sender must process the opt-out within 10 business days (not calendar days)
- The sender cannot transfer or sell the email address after receiving an opt-out request
What about emails without an unsubscribe link?
Not every email is required to have an unsubscribe link. CAN-SPAM distinguishes between commercial and transactional messages:
Exempt: transactional or relationship emails
These do not need an unsubscribe link because they are not primarily commercial:
- Order confirmations and shipping notifications
- Password reset and account verification emails
- Security alerts (login from new device, password changed)
- Legal notices and warranty information
- Ongoing subscription or account status updates
The gray area: mixed-purpose emails
Some emails combine transactional content with marketing. An order confirmation that includes product recommendations, or an account update that promotes a new feature. CAN-SPAM uses the "primary purpose" test: if the main reason for sending is commercial, it must comply. If the main reason is transactional but it includes some marketing, the transactional exemption usually applies — as long as the commercial content does not dominate.
International email laws compared
| Law | Region | Model | Key difference from CAN-SPAM |
|---|---|---|---|
| CAN-SPAM | United States | Opt-out | Senders can email you until you unsubscribe |
| GDPR (ePrivacy) | European Union | Opt-in | Senders need your consent before sending; stricter consent requirements |
| CASL | Canada | Opt-in | Requires express or implied consent; implied consent expires after 2 years |
| PECR | United Kingdom | Opt-in | Similar to GDPR post-Brexit; ICO enforcement |
| Spam Act 2003 | Australia | Opt-in | Requires consent; functional unsubscribe within 5 business days |
CAN-SPAM is notably the weakest of these laws. It uses an opt-out model (you have to tell senders to stop) rather than the opt-in model used by the EU, Canada, UK, and Australia (senders need your permission before starting). This is why US inboxes tend to receive more unsolicited commercial email than inboxes in countries with opt-in laws.
One-click unsubscribe: the modern improvement
In 2024, Gmail and Yahoo began requiring bulk senders (those sending more than 5,000 emails per day) to support RFC 8058 one-click unsubscribe. This standard adds a machine-readable unsubscribe header to emails, allowing email clients to show a one-click unsubscribe button at the top of the message.
The benefits over traditional unsubscribe links:
- No visiting external websites — the unsubscribe happens via a direct POST request
- No confirming, logging in, or filling out forms — one click and done
- Email client handles it — reduces the risk of clicking a malicious "unsubscribe" link
- Senders who do not comply risk having their emails sent to spam by Gmail and Yahoo
This is a significant improvement over CAN-SPAM''s minimum requirements, driven by email providers rather than legislation.
What to do when senders violate CAN-SPAM
If a sender does not include an unsubscribe link, ignores your opt-out request, or continues emailing you after the 10-business-day window:
Report to the FTC
File a complaint at reportfraud.ftc.gov. The FTC uses these reports to identify patterns and bring enforcement actions against repeat offenders.
Forward to the FTC spam address
Forward the offending email to spam@uce.gov. This feeds into the FTC''s spam tracking database.
Use your email provider''s reporting
Marking email as spam in Gmail, Outlook, or other providers trains their filters and may result in the sender being blocked across all users of that provider.
Use email aliases to cut off the sender
If a sender ignores unsubscribe requests, disabling the alias they have on file is an immediate, permanent solution. They cannot email an address that no longer exists. This is one of the strongest practical defenses against senders who violate opt-out rules.
Frequently asked questions
Is the unsubscribe link safe to click?
For legitimate senders, yes. For suspicious emails, use caution — some phishing emails disguise malicious links as unsubscribe buttons. If you are unsure whether the email is legitimate, mark it as spam instead. We cover this in detail in our article on whether it is safe to click unsubscribe in spam.
What if I unsubscribed but still get emails?
Senders have 10 business days to process your opt-out. If emails continue after that, they are in violation. Report them to the FTC. In practice, some senders use multiple mailing lists or subsidiary companies to continue emailing under different sender identities. See our guide on what to do when you keep getting emails after unsubscribing.
Can I sue a sender under CAN-SPAM?
No. CAN-SPAM does not include a private right of action for individuals. Only the FTC, state attorneys general, and internet service providers can bring enforcement actions. Individual consumers can report violations but cannot file lawsuits under this law.
Does CAN-SPAM apply to non-US senders?
CAN-SPAM applies to any commercial email sent to a US recipient, regardless of where the sender is located. In practice, enforcement against international senders is difficult, but the law technically applies.
Does CAN-SPAM apply to B2B email?
Yes. CAN-SPAM makes no distinction between business-to-consumer and business-to-business commercial email. All commercial messages must comply regardless of the recipient type.
Ready to take control of your inbox?
Start protecting your email with Cleanbox — free plan available, no credit card required.
Get started free