Email · list consent & CAN-SPAM
This article covers the email-specific layer of compliance: what CAN-SPAM requires of every commercial message, what valid consent for an email list looks like, and how unsubscribes work on Bird. It builds on the channel-agnostic consent & data privacy article. As always, this is guidance, not legal advice — check requirements for your specific situation with your own counsel.
Meeting these rules is not just about the law: Gmail and Yahoo enforce overlapping requirements (one-click unsubscribe, low complaint rates) as a condition of inbox delivery. See Gmail & Yahoo sender requirements.
What CAN-SPAM requires
CAN-SPAM is the US law covering commercial email. Its core requirements are straightforward, and most of them are good practice everywhere, not just for US recipients:
- Accurate From and subject. The From name, From address, and subject line must honestly identify who is sending and what the message is about. No misleading sender names, no bait-and-switch subjects.
- A physical postal address in marketing mail. Every commercial message must include your valid physical postal address — a street address, PO box, or registered commercial mail receiving agency. Put it in the footer of every marketing template.
- A clear way to opt out. Every commercial message needs a conspicuous unsubscribe mechanism that works without a login or a fee.
- Honor opt-outs promptly. CAN-SPAM allows up to 10 business days to process an opt-out, but on Bird there is no reason to use any of them — unsubscribes take effect immediately (see below).
CAN-SPAM applies to commercial mail. Genuinely transactional messages — receipts, password resets, account notices — are exempt from the postal-address and opt-out requirements, but the accurate-header rules apply to everything.
What valid list consent looks like
CAN-SPAM technically permits opt-out marketing, but GDPR does not, mailbox providers punish unconsented mail with spam-folder placement, and your complaint rate is the single biggest threat to your deliverability. Build your list on real consent:
- Express consent is a clear affirmative action: the person checked an unticked box, submitted a dedicated signup form, or otherwise actively asked for your email. This is the standard GDPR requires for marketing and the one to aim for everywhere.
- Implied consent — an existing customer relationship without an explicit marketing opt-in — is weaker. Some jurisdictions accept it in narrow circumstances; others do not. If you rely on it, keep the mail closely related to the existing relationship and make opting out effortless.
- Never buy, rent, or scrape lists. Nobody on a purchased list consented to hear from you, and such lists are dense with spam traps and dead addresses that will wreck your sender reputation.
Keep records. For each subscriber, store when and where they signed up, what the signup form said, and ideally the IP address and a confirmation timestamp. Double opt-in (a confirmation click before the first marketing send) gives you the strongest record and the cleanest list.
Unsubscribes on Bird
Bird handles the mechanical side of opt-outs for you:
- One-click List-Unsubscribe headers. Bird adds RFC 8058 one-click unsubscribe headers (List-Unsubscribe and List-Unsubscribe-Post) to marketing mail automatically. This is what powers the native unsubscribe button in Gmail, Yahoo, and other clients — and it is a hard requirement for bulk senders at Gmail and Yahoo.
- Unsubscribes take effect immediately. When a recipient unsubscribes — via the header or an unsubscribe link — Bird records an email.unsubscribed event and automatically adds the address to your workspace suppression list with reason: unsubscribe. The next marketing send to that address is rejected before it leaves the platform.
- Complaints are treated the same way. A spam complaint (email.complained) auto-suppresses the address with reason: complaint. Someone who marks your mail as spam has opted out, just less politely.
You still own the content side: include a visible unsubscribe link in your marketing templates (the header alone is not enough for CAN-SPAM's "conspicuous" requirement), and mirror suppressions into your own marketing database by subscribing to the email_suppression.created webhook.
Why transactional mail still gets through
Unsubscribe and complaint suppressions block only non-transactional mail. A recipient who unsubscribed from your newsletter still gets password resets, receipts, and security alerts — those are messages their own actions require, and stopping them would break your product for them.
Bird implements this with categories: sends in the marketing category are blocked by unsubscribe and complaint suppressions, while sends in the transactional category deliver through them. This makes one thing critical for compliance: always set category: "marketing" on marketing sends. The category defaults to transactional, so marketing mail sent without an explicit category bypasses unsubscribe suppressions — which means mailing people who opted out. That is both a deliverability risk and, in many jurisdictions, a legal one.
Related pages
- Consent & data privacy (GDPR/CCPA) — the channel-agnostic consent and privacy basics.
- Gmail & Yahoo sender requirements — the mailbox-provider rules that overlap with CAN-SPAM.
- Suppressions — the developer guide to the suppression list and its API.
- Categories — marketing vs transactional and how the category drives suppression policy.