How to Legally Send Unsolicited Email

The phrase “legally send unsolicited email” is more loaded than it sounds. Whether and how you can email someone you haven’t already heard from depends heavily on which jurisdiction’s rules apply — and in 2026 the rules differ sharply across the U.S., EU, Canada, and a growing list of state and country-specific privacy laws. Layered on top: the major mailbox providers (Gmail, Yahoo, Microsoft) introduced new sender requirements in February 2024 that effectively make unauthenticated bulk sending a deliverability dead end.

This guide covers what “legal” cold-email actually means in 2026, the laws that govern it, the technical requirements that determine whether your message gets delivered at all, and the practical principles that separate honest outreach from spam. The short version: in opt-in jurisdictions (EU under GDPR, Canada under CASL) you generally need prior consent before contacting individuals; in opt-out jurisdictions (U.S. under CAN-SPAM) you can send commercial email to people who haven’t opted in, but you must follow strict identification, transparency, and unsubscribe rules.

Know the laws that apply

CAN-SPAM Act (U.S., 2003)

The U.S. CAN-SPAM Act (15 U.S.C. § 7701 et seq.) is the federal baseline for commercial email. It does not require prior consent — meaning unsolicited commercial email is technically legal — but it imposes seven specific requirements: don’t use false or misleading header information; don’t use deceptive subject lines; identify the message as an ad; include a valid physical postal address; tell recipients how to opt out; honor opt-out requests within 10 business days; and monitor what others do on your behalf. Penalties run up to $53,088 per violation (FTC inflation-adjusted figure as of 2024). Enforced by the FTC.

GDPR (EU, 2018)

The General Data Protection Regulation applies whenever your message reaches an EU resident, regardless of where you’re based. Under GDPR plus the related ePrivacy Directive, marketing email to individuals generally requires prior, freely given, specific, informed, and unambiguous consent — pre-checked boxes don’t qualify. There is a narrow “soft opt-in” for existing customers receiving emails about similar products. Penalties run up to €20 million or 4% of global annual turnover, whichever is higher. Enforcement is real: the EU’s data-protection authorities have issued multi-million-euro fines for marketing-email violations.

CASL (Canada, effective 2014)

Canada’s Anti-Spam Legislation is one of the strictest. CASL requires express or implied consent before sending most commercial electronic messages (CEMs) to Canadians. Express consent must be opt-in, documented, and re-confirmable. Implied consent has narrow categories (existing business relationship, conspicuously published business address). Messages must include sender identification, contact information, and a working unsubscribe mechanism. Penalties run up to CA$10 million per violation for organizations.

U.S. state privacy laws

By 2026, more than 20 U.S. states have comprehensive privacy laws — California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Tennessee, Texas, Florida, Oregon, Montana, Iowa, Indiana, Delaware, New Jersey, New Hampshire, Kentucky, Rhode Island, Minnesota, Maryland, and others. Most include data-subject rights (access, deletion, opt-out of sale) that affect how email lists can be obtained, stored, and used. California specifically has additional rules for sending unsolicited commercial email to or from California addresses (Cal. Bus. & Prof. Code § 17529.5).

UK GDPR and PECR

Post-Brexit, the UK applies its own version of GDPR plus the Privacy and Electronic Communications Regulations (PECR). The substance is similar to EU GDPR — consent-based marketing email, narrow B2B exception, opt-out right — but UK enforcement (ICO) is independent of EU regulators.

Know the technical bar: Google and Yahoo bulk-sender requirements

Even if your message is legal, it has to actually reach the inbox. Google and Yahoo’s bulk-sender requirements, effective February 2024, set a hard technical floor for any sender pushing 5,000+ messages per day to Gmail or Yahoo accounts:

• SPF (Sender Policy Framework) — DNS records that authorize specific IPs to send on behalf of your domain.
• DKIM (DomainKeys Identified Mail) — cryptographic signatures that prove the message came from your domain and hasn’t been altered.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) — published policy that tells receiving servers what to do with messages that fail SPF/DKIM. Bulk senders need at least p=none with reporting enabled; p=quarantine or p=reject is recommended.
• One-click list-unsubscribe per RFC 8058 — both the List-Unsubscribe header and the List-Unsubscribe-Post header so mailbox providers can offer one-click unsubscribe in their UI.
• Spam complaint rate below 0.3% — measured by Gmail Postmaster Tools and Yahoo Sender Hub. Above 0.1% triggers warnings; sustained 0.3%+ triggers throttling or blocking.
• Aligned From: header — the visible “From” domain must align with the authenticated sending domain.

Microsoft 365 / Outlook.com follows similar standards through their Smart Network Data Services. Apple iCloud Mail enforces SPF/DKIM/DMARC. Bottom line: in 2026 you cannot send bulk email at any meaningful scale without these technical controls in place. Most email-service-provider platforms (Mailchimp, Klaviyo, ActiveCampaign, HubSpot, Brevo, Customer.io, SendGrid, Postmark) handle the authentication setup for you, but the responsibility for monitoring complaint rates and list hygiene remains with the sender.

Get consent properly

Whatever jurisdiction you’re in, the safest stance is to obtain explicit consent — opt-in — before sending. This means:

• Clear, specific opt-in. The sign-up form names the type of communication and the sender. Pre-checked boxes don’t qualify under GDPR or CASL.
• Documented consent. Keep a record of when and how each subscriber opted in (timestamp, IP address, source URL, exact wording shown). You may need to produce this in response to a regulator inquiry.
• Double opt-in for higher-risk lists or stricter jurisdictions. The subscriber confirms via a confirmation email after submitting the form.
• Granular consent for separate purposes — e.g., a separate opt-in for product updates vs. marketing newsletters vs. third-party offers.

Lists obtained by purchase, scraping, fraud, or guessing addresses are illegal in most jurisdictions and operationally suicidal — they generate spam complaints, get you blacklisted by mailbox providers, and expose you to fines.

Identify the message clearly

CAN-SPAM specifically requires commercial messages to identify themselves as advertisements unless the recipient has previously consented. GDPR-style frameworks require transparent identification of the sender and the purpose of the email. Practical guidance:

• From, Reply-To, and signature block all reflect a real, deliverable identity — not a generic alias like “noreply@” without a backing reachable email address.
• Subject lines describe the email accurately. Don’t use re: or fwd: tricks; don’t imply a personal relationship that doesn’t exist.
• Physical postal address appears in the email body or footer. CAN-SPAM requires this; it’s also good practice elsewhere.
• Mark advertisements appropriately. When the message is purely promotional, label it. The FTC explicitly allows simple identifiers like adding “Advertisement” in the subject line or body.

Make unsubscribing trivial

Unsubscribe handling is the area where compliance and deliverability overlap most strongly:

• One-click unsubscribe via the RFC 8058 List-Unsubscribe-Post header — required by Google/Yahoo for bulk senders since February 2024. The recipient’s mail client offers an “unsubscribe” button next to the From line; one click should suffice without further forms.
• Visible unsubscribe link in every commercial email — usually in the footer, in plain language. CAN-SPAM requires this; CASL and GDPR effectively do too.
• Process opt-outs within 10 business days (CAN-SPAM minimum) and ideally within 24-48 hours (operational best practice).
• Don’t make recipients log in or fill out forms to unsubscribe. CAN-SPAM specifically prohibits opt-out mechanisms more onerous than the original opt-in.
• Don’t share unsubscribed addresses with other senders or use them for further mailings — that’s a separate violation.

Write like a professional

Beyond legal compliance, the content of the email determines whether it gets read, ignored, or reported as spam:

• Personalize where it makes sense. Modern ESPs make first-name and segment-based personalization easy. Don’t fake personalization — “Hi {{first_name}}” rendered as the literal placeholder is worse than no personalization.
• Match subject line to body. Misleading subject lines violate CAN-SPAM and tank long-term sender reputation.
• Edit hard. Spelling and grammar errors signal spam to both recipients and filters.
• Use plain text alongside HTML. Most ESPs auto-generate the plain-text part; verify it looks reasonable. Some recipients (especially in regulated industries) read in plain text.
• Avoid spam-trigger formatting. ALL CAPS subject lines, excessive punctuation (!!!), and unusual color schemes raise filter scores. Standard formatting beats novelty.
• Keep attachments minimal. Large attachments slow delivery and increase spam suspicion. Link to a hosted file if you must include something.

Use a reputable email service provider

Modern email-marketing platforms handle the technical and compliance complexity that’s nearly impossible to manage from scratch. The major options:

• Mailchimp — long-running, broad feature set, popular with small-to-mid-size businesses.
• HubSpot — full marketing platform with email plus CRM, automation, landing pages.
• Klaviyo — strong fit for ecommerce, deep Shopify integration.
• ActiveCampaign — automation-focused, strong for B2B and SaaS.
• Brevo (formerly Sendinblue) — popular in EU markets with native GDPR-aware features.
• Customer.io — event-driven messaging for product-led companies.
• SendGrid / Postmark / Amazon SES — transactional and developer-focused options.
• ConvertKit (now Kit) — creator-focused email marketing.

All of these handle SPF, DKIM, DMARC setup, deliverability monitoring, list hygiene, and unsubscribe processing. Choose based on your stack, audience, and budget — but use one. Sending bulk email from your own SMTP server in 2026 is a deliverability and compliance nightmare unless you have a dedicated email-operations team.

Monitor reputation and engagement

Sender reputation is now an ongoing operational concern, not a setup task:

• Gmail Postmaster Tools and Yahoo Sender Hub show your reputation, spam-rate, and authentication results across those mailbox providers.
• SNDS (Smart Network Data Services) from Microsoft for Outlook.com / Hotmail visibility.
• Bounce handling — automatically remove hard bounces (permanent failures); handle soft bounces (temporary issues) with retry policies; don’t resend to addresses that have repeatedly bounced.
• Engagement-based segmentation — recipients who haven’t opened or clicked in 6-12 months should be re-engaged or removed. Mailbox providers use engagement signals to determine whether your messages reach the inbox.
• Apple Mail Privacy Protection (since iOS 15, September 2021) pre-loads remote images for users who opt in, breaking traditional open-rate tracking. Plan your measurement around clicks, conversions, and revenue rather than relying solely on open rates.

Frequently asked questions

Can I legally cold-email B2B contacts?

It varies. In the U.S., cold B2B email is generally permitted under CAN-SPAM if you follow the identification, advertisement, and opt-out rules. In the EU under GDPR, B2B is treated nearly the same as B2C — prior consent generally required. CASL has a narrow B2B exception for messages sent to a publicly listed business address, but the message must still meet identification and unsubscribe requirements. The UK’s PECR has a B2B exception for “corporate subscribers.” Treat each jurisdiction’s rules separately.

What happens if I don’t set up DMARC?

For bulk senders (5,000+/day to Gmail or Yahoo), your messages will be progressively throttled or rejected starting in early 2024 and increasingly aggressive enforcement through 2025-2026. For low-volume senders, you may still get through but your reputation builds slowly and you’re more vulnerable to spoofing. Setting up DMARC is essentially required for any serious email program.

Are purchased lists ever legal?

In most jurisdictions, no — at least not in any usable way. GDPR and CASL effectively prohibit them because the recipients didn’t consent specifically to your sending. CAN-SPAM doesn’t require consent but requires that obtained addresses come through legitimate channels, and most purchased lists fail this. Even where technically legal, purchased lists generate high spam-complaint rates that destroy your sender reputation. Don’t buy lists.

What about purely transactional emails?

Transactional emails (order confirmations, password resets, shipping notifications, account alerts) are generally exempt from the consent and opt-out rules in most jurisdictions, since they’re necessary to fulfill an existing customer relationship. Don’t bury marketing content inside transactional emails — that risks losing the exemption and triggering CAN-SPAM/GDPR violations.

How do open rates work after Apple Mail Privacy Protection?

Open rates are no longer reliable. Apple Mail Privacy Protection pre-loads remote images for opt-in users, generating false “opens” for messages that may never have been read. Click rates, conversion rates, and downstream revenue are now the meaningful engagement metrics. Most modern ESPs explicitly mark Apple-MPP-influenced opens or offer click-based engagement segmentation as the alternative.

The bottom line

The 2026 reality is that “unsolicited” in the title’s sense is a US-centric framing — under CAN-SPAM you can legally send commercial email to people who haven’t opted in, but you can’t under GDPR, CASL, or most other strict jurisdictions. Even where unsolicited email is legal, the technical bar (SPF/DKIM/DMARC, list-unsubscribe, sub-0.3% spam rates) and the compliance overhead make opt-in the practical default. Get consent, set up authentication properly, use a reputable ESP, monitor reputation and engagement, and treat unsubscribe handling as table-stakes rather than an inconvenience. The principles aren’t complicated — but neither are the penalties when you skip them.