Cold email compliance in 2026 has two distinct layers that most guides treat as one. The legal layer — CAN-SPAM, GDPR, CASL — covers what you're permitted to send and to whom. The technical layer — SPF, DKIM, DMARC, sender reputation — covers whether what you send actually gets delivered. Both must be in place before you send. This checklist covers both.
Legal Compliance Layer: What the Law Requires
B2B cold email is legal in every major jurisdiction. The question isn't whether you can send — it's what requirements apply when you do.
Regulation | Applies To | Key Requirements | Penalty Range |
|---|---|---|---|
CAN-SPAM (US) | Emails to US recipients from US senders | Accurate sender info, physical address, opt-out mechanism, honour opt-outs within 10 days | Up to $51,744 per email |
GDPR (EU) | Emails to EU residents regardless of sender location | Legitimate interest basis, right to erasure, privacy notice, opt-out mechanism | Up to €20M or 4% of global revenue |
CASL (Canada) | Emails to Canadian recipients regardless of sender location | Express or implied consent, sender identification, physical address, opt-out mechanism | Up to CAD $10M per violation |
PECR (UK) | Emails to UK recipients post-Brexit | Similar to GDPR — legitimate interest for B2B, opt-out required | Up to £500,000 |
🚩 This Is Not Legal Advice
This checklist provides a practical compliance overview for B2B cold email operators. It is not legal advice. Consult a qualified attorney for advice specific to your business, jurisdiction, and outreach program before relying on this content for legal decisions.
CAN-SPAM Compliance Checklist (US Senders)
CAN-SPAM is the most permissive of the major regulations — it doesn't require prior consent for B2B commercial email, just compliance with six specific requirements.
☑️Accurate From, To, and Reply-To Information
The sender name and email address must accurately identify who is sending. No fake names, no misrepresented domains, no "from" address that deceives the recipient about the sender's identity.
☑️Non-Deceptive Subject Lines
Subject lines cannot misrepresent the email's content. "Re: Our conversation" when no conversation occurred is a CAN-SPAM violation. Subject lines must reflect the email's actual content and intent.
☑️Physical Postal Address
Every commercial email must include a valid physical mailing address — your registered business address, office, or a P.O. Box registered in your company's name. Include in a 1–2 line footer on every email template.
☑️Opt-Out Mechanism
Every email must include a clear way to opt out. For cold email, a plain-text line — "Reply STOP to opt out" or "Not relevant? Reply and I'll remove you" — satisfies this requirement without a formal unsubscribe link.
☑️Honour Opt-Outs Within 10 Business Days (Immediately in Practice)
When someone opts out, remove them from all sequences. The legal maximum is 10 business days — but in practice, remove immediately. Your cold email platform should handle this automatically via opt-out detection. Verify it's active.
GDPR and CASL Compliance Checklist (EU and Canadian Recipients)
GDPR and CASL are stricter than CAN-SPAM but still permit B2B cold email with the right framework in place.
GDPR Checklist (EU Recipients)
☑️Legitimate Interest Documented
Your privacy policy must document your legitimate interest basis for processing contact data for outbound sales. The contact is a business professional in a role relevant to your product — this is the standard legitimate interest basis for B2B cold email under GDPR.
☑️Data Minimisation
Only collect and use the contact data you need — name, email, company, role. Don't build profiles beyond what's relevant to the outreach purpose.
☑️Right to Erasure Process
When an EU contact requests deletion of their data, you must delete it within 30 days. Have a documented process for handling these requests across your CRM and campaign platform.
☑️Easy Opt-Out in Every Email
A clear, functional opt-out mechanism must be present in every email to EU recipients. The same plain-text approach that satisfies CAN-SPAM works here too.
CASL Checklist (Canadian Recipients)
☑️Implied Consent Basis Documented
Implied consent under CASL applies when the recipient's contact information is publicly available in connection with their business role (company website, LinkedIn, industry directory) and your email is relevant to their role.
☑️Sender Identification
Your company name, physical address, and contact information must be present in every email. CASL requires more complete identification than CAN-SPAM — include company name, address, and a way to reach the sender beyond just a reply address.
☑️Functional Opt-Out — Honoured Within 10 Business Days
Same as CAN-SPAM — honour immediately in practice, not within the 10-day maximum. CASL penalties are significantly higher than CAN-SPAM (up to CAD $10M vs $51,744) — the compliance standards are the same minimum but the stakes are higher.
Technical Compliance Checklist: Authentication and Infrastructure
Technical compliance isn't a legal requirement in most jurisdictions — but it's a practical requirement for email delivery in 2026. Google's February 2024 sender requirements made SPF, DKIM, and DMARC mandatory for senders sending to Gmail at scale. Microsoft has equivalent requirements. Every inbox you send from must pass these checks.
☑️SPF Record Configured and Passing
One SPF TXT record per sending domain. For Google Workspace: v=spf1 include:_spf.google.com -all. For Microsoft 365: v=spf1 include:spf.protection.outlook.com -all. Use -all (hard fail). Verify on mxtoolbox.com — should show SPF PASS.
☑️DKIM Activated and Passing
DKIM must be both published in DNS and activated in your email provider's admin console. For MS365, DKIM signing must be enabled in Microsoft 365 Defender — adding DNS records alone is insufficient. Verify via Gmail header check: should show DKIM: PASS.
☑️DMARC Record Published
DMARC TXT record at _dmarc.[yourdomain]. Start at p=none during first 2 weeks to monitor. Move to p=quarantine after reviewing clean reports. Minimum: v=DMARC1; p=none; rua=mailto:dmarc@[yourdomain].
☑️Pre-Warmed Inbox With Genuine Sending History
Fresh inboxes land in spam 40–60% of the time on cold lists. Pre-warmed inboxes with 4–12 weeks of genuine sending history show Good or High reputation in Google Postmaster Tools and deliver to primary inbox at 88–96%. Verify in Postmaster Tools before the first campaign send.
☑️Dedicated IP Addresses
Shared IPs expose your deliverability to other senders' behaviour. Dedicated IPs isolate your reputation entirely. All Litemail pre-warmed inboxes use dedicated US and EU IP addresses at no extra cost — $4.99/inbox.
☑️Separate Cold Email Domain from Primary Domain
Never send cold email from your primary business domain. Register a variant domain for cold email outreach. If the cold email domain gets flagged or its reputation degrades, your primary domain stays clean.
☑️Spam Complaint Rate Under 0.08%
Google's sender guidelines specify a spam complaint rate under 0.10% to avoid delivery issues — with a safe zone below 0.08%. Monitor complaint rate in your campaign platform or via Google Postmaster Tools. Above 0.08% requires immediate investigation.
☑️Hard Bounce Rate Under 2%
Run every prospect list through an email verification tool (NeverBounce, ZeroBounce) before the first campaign send. Target a hard bounce rate under 2%. Above this threshold, domain reputation degrades regardless of inbox warmup quality.
Verify Compliance Before Every Campaign Launch
Run this 5-point verification before every new campaign — not just on initial setup. DNS records change. Lists degrade. Reputation shifts. A 15-minute check before each campaign launch protects every campaign investment.
MXToolbox full deliverability check — all five items green (MX, SPF, DKIM, DMARC, blacklist).
Mail-tester.com score — 9/10 or 10/10 from each sending inbox.
Google Postmaster Tools domain reputation — Good or High. Medium = investigate before sending. Low or Unknown = stop and fix infrastructure.
List verification — bounce rate check on new list segments through NeverBounce or ZeroBounce.
Opt-out mechanism active — verify your campaign platform's opt-out detection is enabled and processing removals.
Start Compliant From Day One — Pre-Configured Infrastructure
Litemail handles the technical compliance layer — SPF, DKIM, DMARC pre-configured on every inbox, verified Good reputation, dedicated IPs. You add the legal layer. $4.99/inbox.
Get Pre-Warmed Inboxes from $4.99 →
SPF, DKIM, DMARC pre-configured · Verified Good/High reputation · Dedicated US and EU IPs · No minimum order
About Litemail — Litemail provides pre-warmed Google Workspace and Microsoft 365 inboxes for cold email outreach. From $4.99/inbox with automated DNS, dedicated US and EU IPs, and full admin access. View pre-warmed inbox plans →
Related reading:
CAN-SPAM and GDPR Cold Email Guide · CASL Cold Email Compliance Canada 2026 · Is Cold Email Legal? 2026 Country Guide · Cold Email Compliance Audit 2026 · SPF, DKIM, DMARC Setup Guide 2026
Key Takeaways
Cold email compliance has two distinct layers: legal (CAN-SPAM, GDPR, CASL) and technical (SPF, DKIM, DMARC, sender reputation). Both must be in place before the first campaign send.
CAN-SPAM requires: accurate sender info, non-deceptive subject lines, physical mailing address, opt-out mechanism, and honouring opt-outs within 10 business days (immediately in practice).
GDPR permits B2B cold email to EU contacts under legitimate interest — provided the contact is a business professional in a relevant role, your privacy policy documents the basis, and opt-out is easy.
CASL permits cold email to Canadian business professionals when their contact information is publicly available in connection with their role — but penalties are significantly higher than CAN-SPAM (up to CAD $10M).
Technical compliance minimums in 2026: SPF configured with -all, DKIM activated (not just published), DMARC at minimum p=none with reporting, spam complaint rate under 0.08%, and hard bounce rate under 2%.
Litemail pre-warmed inboxes arrive with SPF, DKIM, and DMARC pre-configured and verified — the technical compliance layer handled at $4.99/inbox. Your responsibility is the legal layer: footer, opt-out, and privacy documentation.
Frequently Asked Questions
Is cold email legally compliant in 2026?
Yes. B2B cold email is legal in the US (CAN-SPAM), EU (GDPR legitimate interest), Canada (CASL implied consent), and the UK (PECR legitimate interest) with specific requirements in each jurisdiction. None of these regulations ban cold B2B email — they regulate how it must be conducted. This is not legal advice — consult a qualified attorney for advice specific to your situation.
What must be in every cold email for CAN-SPAM compliance?
Accurate sender name and email address, non-deceptive subject line, physical mailing address (one line in the footer), and a functional opt-out mechanism (a plain-text line like "Reply STOP to opt out" satisfies this). Honour opt-out requests immediately upon receipt — the legal maximum is 10 business days, but immediate removal is the correct standard.
Does GDPR allow cold email to European business contacts?
Yes — under the legitimate interest legal basis. The recipient must be a business professional in a role relevant to your product or service, your privacy policy must document the legitimate interest basis for outbound sales data processing, opt-out must be easy and honoured promptly, and data deletion requests must be fulfilled within 30 days. Consult a lawyer for advice specific to your situation before relying on this summary.
What is the spam complaint rate limit for cold email in 2026?
Google's published threshold is below 0.10% to avoid delivery issues, with a recommended safe zone below 0.08%. Microsoft's SNDS has equivalent thresholds. Keep your complaint rate under 0.08% — above this level, domain reputation begins degrading in both Google Postmaster Tools and Microsoft's sending reputation systems. Monitor via your campaign platform's complaint tracking and Postmaster Tools weekly.
Do I need SPF, DKIM, and DMARC for cold email compliance in 2026?
Practically yes. Google requires SPF, DKIM, and DMARC for senders sending more than 5,000 emails per day to Gmail addresses (since February 2024). For all senders, these records are now table stakes for reliable email delivery — receiving servers use them to authenticate every inbound email before deciding how to route it. Without all three passing, cold email deliverability is significantly impaired regardless of volume.
Does Litemail help with cold email compliance?
Litemail handles the technical compliance layer: SPF, DKIM, and DMARC pre-configured and verified on every pre-warmed inbox before delivery. Dedicated IPs, Good/High Postmaster reputation, and full admin access are included at $4.99/inbox. Legal compliance — footer with physical address, opt-out mechanism, privacy policy documentation, data deletion processes — is your responsibility as the sender. This checklist covers both layers in full.
Cold Email Compliance Infrastructure | Litemail
SPF, DKIM, DMARC pre-configured on delivery. Verified Good reputation. Dedicated IPs. Compliant cold email infrastructure from $4.99/inbox.
View Plans & Pricing →
Related reading:
CAN-SPAM and GDPR Guide · CASL Compliance Canada · Is Cold Email Legal? 2026 · Compliance Audit 2026 · SPF, DKIM, DMARC Setup Guide
