There are serious legal, practical and ethical issues about email marketing and today’s marketer needs to understand the laws, limits, and best practices of the industry.

In this guide, we’ll dive into what permission is, SPAM laws, sender reputation, and authentication.

Chapter 1

Why email permissions matter

You might think that managing email permission is outside your job description, that you can just design and send email. In some situations, that may well be true. But even so, there’s a huge need for marketers to understand the legal, practical, and ethical issues around email marketing.

Why should you care? Pragmatically, if you send email newsletters, you should be able to explain the laws, limits, and best practices of the industry. It will prevent your company from running into problems, thereby making your role indispensable to the organization.

On a personal level, we should all care about email permission because we all receive commercial emails, and not always by choice. Too many people send unwanted email with the help of designers who never bothered to check who the subscribers were going to be.

Finally, you need to know about email permission so that you stay on the right side of the law and avoid any legal problems. So, now that I’ve convinced you of the need to care about permission, let’s ask an even more fundamental question: what is permission anyway?

Chapter 2

Email spam: know the rules

My first rule of email spam is that any email that contains the phrase “this is not spam” is almost always spam. My second rule of spam is that nobody thinks that what they’re sending is spam.

Of course, this is a massive oversimplification. Obviously some people really are unrepentant spammers who know exactly what they’re doing, but many more senders are convinced that what they’re doing is not spam, while their recipients think otherwise.

As designers, we obviously need to avoid sending emails that are considered spam by the law. But it’s an often-ignored fact that we should also avoid sending emails that are perceived as spam. We’ll look into that in a moment, but first we’ll start with the broadest and most widely accepted definitions of what constitutes spam: the legal definitions. In fact, there’s a whole slew of legal definitions, depending on where you’re based. The most well-known of these laws, which we touched on in the section called “Legal Compliance” in Chapter 3, is the US CAN-SPAM Act.

Email Spam Laws

If you’re sending email as a US company (or for a US company), you’re legally bound to comply with the CAN-SPAM laws. For the full details on your obligations, see

Here are the core requirements, directly from the Federal Trade Commission, the principal US consumer protection agency:

Don’t use false or misleading header information

The From, Reply To, and other address details should all be valid and accurate for the sender and recipient.

Don’t use deceptive subject lines

The subject line should accurately reflect the content of the email.

Identify the message as an advertisement

Don’t try to disguise it as a personal email, for example. This law indicates why you sometimes see [ADV] in subject lines.

Tell recipients where you’re located

Include a valid, physical postal address for the sender.

Provide a way to opt out

You must include a clear, prominent way to opt out of future email (which can be automated or manual).

Honor opt-out requests promptly

You must give people a way to opt out that’s available for at least 30 days after you send them the email, and you must act on a request to opt out within ten business days, for free. An online opt-out must only require sending a single email, or visiting a single page.

These are the guidelines as of February 2010, but keep in mind that the FTC has made additional rulings since first issuing the laws, so you need to keep an eye out for any future updates.

Many countries have published their own laws regarding spam and commercial email. For a list of relevant laws, see

Wherever you live, you need to know the legal issues for your company. However, complying with the law is just part of the equation; there are other issues with which to contend.

According to the CAN-SPAM act, all email opt-out requests must be honored within 10 business days #emailmarketing #compliance

Chapter 3

Email permission vs email spam

What the law considers to be spam is often quite distinct (and much narrower) than what the typical email reader considers spam. As a consequence, what an ISP or an email service provider considers spam will often include a lot more than what the laws cover.

Jason Fried and David Heinemeier Hansson of the opinionated web application firm Basecamp make this point in Rework (New York: Crown Business, 2010):

Spam is a way of thinking. It’s an impersonal, imprecise, inexact approach. You’re merely throwing something against the wall to see if it sticks. You’re harassing thousands of people hoping that a couple will respond. Press releases are spam. Each one is a generic pitch for coverage sent out to hundreds of journalists you don’t know hoping that one will write about you. Resumés are spam when someone shotguns out hundreds at a time to potential employers. They don’t care about landing your job, they just care about landing any job. Spam is basically a half-ass way of getting someone’s attention. It’s insulting, really.

Legally speaking, press releases and resumés are not spam, but the authors of the book consider those kinds of email to be just as spammy as unwanted product solicitations. This is a redefinition of spam to extend beyond emails I didn’t ask for to also include emails that are irrelevant or worthless.

A 2008 survey by Q Interactive and MarketingSherpa has confirmed that this is a growing definition for individuals as well:

Underscoring consumers’ varying definitions of spam, respondents cited a variety of non-permission-based reasons for hitting the spam button, including “the email was not of interest to me” (41 percent), “I receive too much email from the sender” (25 percent), and “I receive too much email from all senders” (20 percent).

From an email sender’s perspective, this can seem unfair. You gather permission according to all the relevant laws, but are still labeled a spammer. Features like the unsubscribe button can make it easier for people to achieve the result they want (less email) without having to accuse a sender of spamming; until this type of feature becomes more common, though, the spam button will continue to serve as a proxy for “I don’t want your emails.”

Email providers and ISPs have publicly admitted to using the same kind of judgment in deciding what counts as email abuse:

Operationally, we define spam as whatever consumers don’t want in their inbox.

– Yahoo Mail (Miles Libbey, anti-spam product manager)

I don’t care if they’ve triple opted-in and [given] you their credit card number…relevance rules, and catering to end user preferences is top priority.

— AOL (Charles Stiles, AOL Postmaster)

We need to think really a step beyond opt-in and focus on the consumer’s expectations, relevancy, and frequency.

— Microsoft/ (Craig Spiezle, online safety evangelist)

Sometimes people are afraid to report a message because they aren’t sure if it is “really” spam or not. Our opinion is that if you didn’t ask for it and you don’t want it, it’s spam to you, and it should be reported.

— Gmail (Brad Taylor, Google engineer)

Chapter 4

The rise of relevance

You need more than just permission; you also need to put yourself in your subscribers’ shoes. They signed up for information about one of your products, but does that mean they want to be emailed about your other products? Not necessarily.

You’ve worked with your team to determine that you can legally send to subscribers, but there’s still work to do. Now you’re into the gray area of interest, relevance, and potentially “stale” permission.

There’s no way to guarantee that someone, somewhere won’t consider any particular email to be spam. In fact, those in the tech industry are the most likely to make blanket statements about all marketing emails being spam, or even all HTML emails.

It’s just impossible to make everyone happy, especially those who somehow believe that banning HTML email would eradicate spam (instead of creating more plain text spam, which is what would happen). So, what to do?

The best way to avoid being blocked, deleted, flagged, junked, or just plain ignored is to work very hard at making your emails relevant, usable, and useful. That means providing the information you promised when people signed up, and not taking the permission granted for one type of information and stretching it out to cover other topics.

Practically, this means being clear about why people should sign up, and then providing those benefits consistently. As marketers, we can take this all the way from the initial sign-up form. Compare the two sign-up forms shown in Figure 5.1 and Figure 5.2.

Generic formFigure 5.1. Generic Form

Sign-up form explaining benefits and showing an example issueFigure 5.2. Sign-up form explaining benefits and showing an example issue

Even before any email is sent, each form has created its distinct audience. People who signed up through the first form will be expecting a newsletter, yes, but what will it contain? What will it look like? How frequently will they receive it?

They could be imagining something quite different from what you actually intend to send. If it turns out to be unsatisfactory, they may simply unsubscribe. But they might also mark your email as spam. Subscribers to the second form will be expecting exactly what you intend to send, so they’ll know it when they see it, and they’re more likely to remember signing up for it.

Designing for relevance carries through to the content. You need to make sure that not only is the actual subject matter relevant, but that the design makes this clear by putting the valuable information up front, rather than burying it in unrelated promotions or cross-selling.

Providing timely and useful information is the best defense against spam complaints, not to mention apathy and indifference. After all, receiving no response at all can be even more disheartening than receiving complaints.

Chapter 5

Reporting email scams

Even the cleanest, most permission-based of lists will probably result in a complaint or two eventually. Not every complaint is legitimate—some are accidentally triggered, and others are from readers who think that hitting “mark as spam” is the easiest way to unsubscribe. As we saw in the section called “Permission vs. Spam”, many email software companies are actively encouraging this kind of behavior, so you need to know what it means and how to react.

Spam complaints come in a few forms, so knowing what they all are helps when trying to avoid them (as well as when dealing with the ones that are impossible to avoid).

Direct Complaints

Direct complaints are when a subscriber actively sends an email that says, literally, “This is spam” or calls on the phone. The complaint might come directly to you, to your email service provider, or even to the ISP that provides bandwidth for the servers that send the emails.

Email Feedback Loops

Some ISPs and email providers (Comcast and are two examples) have special systems set up that can collect complaints from their users and forward them on in a specific format to the email service provider that send the emails.

The service provider then receives those complaints and processes them according to its company policy. In the case of Campaign Monitor, the recipient is automatically unsubscribed, and a record is added to the sender’s campaign report showing that a complaint was made. This is fairly typical of the way feedback loop complaints are handled.

Feedback loops are almost always triggered by direct action (that is, a reader clicking a “Mark as spam” button or similar) rather than by an automated filter process. So the end result is much the same as a direct complaint, except that it can more easily be acted on, since it’s in a format that can be actioned by an automated software process.

If you choose to use an email service provider, you can check with them as to whether they’re integrated with feedback loops. While it might seem risky to open yourself up to such direct complaints, it’s better to handle them right away than find out that you’ve been blacklisted later on. You can find a list of the major feedback loops here.

Automated Email Filtering

Some email systems will generate warnings and complaints when they detect a certain volume or frequency of emails that are considered possible spam. Generally those will be sent to your email service provider rather than directly to you as the sender, but your email service provider would then follow up with you.

In all cases, being able to show how permission was obtained for any particular subscriber is critical. A fast, detailed response to a complaint that provides permission details and offers to unsubscribe the address will usually avoid any ongoing problems.

Clients often feel understandably defensive about their lists and can be tempted to respond aggressively, but it’s important to make them understand that this kind of response is counterproductive. Although some complaints may well be unfair, email providers have to take each one seriously, so it pays to be prepared with evidence of an email list that’s fully permission-based.

Keeping a record of who has complained is essential, in order to avoid emailing them again. Some email systems will do this for you, and you should find out if that’s the case for your provider.

Above all, spam complaints are valuable feedback and should be accepted as your recipients letting you know something about your list. By reading their minds a little, we can interpret a simple spam complaint in different ways:

“I don’t remember signing up for this.”

How long ago did the people on your list sign up? It could be that the span of time between signing up and receiving an email was too long, or that the signup form was unclear about how frequent the emails would be.

“I did not agree to these emails.”

Was the opt-in process very clear? A common cause of complaints is forcing people to join your list as part of entering a competition. Both the sign-up form and the emails themselves need to be extremely clear about what’s happening. If a reader signed up to win a prize, but the first email makes no mention of the competition at all, they’re much more likely to consider it spam.

“This is not useful information.”

Perhaps the content of the email isn’t what was promised. Don’t promise useful hints and tips and then send promotional junk every month.

“I don’t care about this anymore.”

Maybe the reader just moved on and no longer has a need for your product or service. The spam complaint might mean they don’t want to receive your emails anymore and thought hitting “Mark as spam” was the best way to achieve it.

“I can’t be bothered to unsubscribe.”

Related to the previous point. As I’ve already mentioned, making the unsubscribe link hard to find is self-defeating. If your reader doesn’t want any more emails, don’t try to trick them into staying on your list. Put a simple and clear unsubscribe link right up front, and avoid forcing people to complain.

Any email newsletter service you use will have their own spam complaint process, which you’ll need to understand. Most people never run into serious complaints, but it can happen and you do need to be prepared.

How many complaints is too many?

There isn’t any one number that you can rely on. Every email service will have their own “safe” level, but even one complaint can cause problems if it reveals that permission was not obtained properly.

In practice, there’s always a “normal” level of complaints, appearing like background radiation no matter what you do. That number is typically very low, around 0.01%. If your campaigns are receiving complaints at around that frequency, there’s no need to be too concerned.

Obviously, if you’re dealing with very small lists one complaint can be a big percentage, so in order to gain an accurate view you’ll need to average it out over a number of campaigns.

Again, check with the system you use to email, or with your ISP, as to what they consider to be a bad number of complaints.

Chapter 6

Email blacklists, whitelists and sender reputation

Due to years of abuse from deliberate spammers, hundreds of services have popped up to deal with this problem. If you’re using an external provider, they’ll generally take care of ensuring that their emails bypass these anti-spam services.

If you’re using your own servers, your client’s servers, or a dedicated external server, the task will fall to your client and their consultants to handle it. Such details fall outside the scope of this book, but having a good understanding of what blacklists are and how they work will help with planning and implementing your email campaigns.

Email blacklists

In the email world, a blacklist (also called DNSBL for DNS Based Black List) is a list of IP addresses that are linked in some way to spam. Anti-spam software and mail servers can refer to this list of addresses when receiving mail, to decide whether to allow it to be delivered. Blacklists can form a part, or the whole, of the process of filtering an email.

If the server you use to send email is listed on a major blacklist, your emails may be more heavily filtered, or be blocked altogether. A major part of an email service provider’s value is in monitoring these lists and making sure that their IP addresses remain off blacklists.

Inevitably, legitimate servers will be listed (perhaps because of inaccurate complaints), but a good email service will follow up and usually be delisted fairly quickly. If your client wants to handle sending the emails themselves, or wants you to handle it, you should make them aware of the amount of work that can be involved in managing this part of the equation.

To find out if a particular IP address is listed, you can go directly to a specific list provider. Alternatively, you can use one of the aggregator tools, such as, and enter the IP address there.

Email whitelists

Where a blacklist works by letting all email past except for mail from specific IPs, a whitelist takes the opposite approach and blocks everything by default. Only email from a specified set of IP addresses is allowed past.

Historically, some of the large email providers did have systems for whitelisting known senders, but this approach is becoming increasingly rare as they move to reputation-based systems that measure complaints, volume of sends, bounces, and the like. If your client is having problems reaching a particular domain, especially if it belongs to a smaller company, requesting to be added to the domain’s whitelist can often resolve the problem.

Overall, this kind of list-based spam system is only a small part of the email game. If we all concentrate on sending relevant, useful information that people have actually requested, we’ll be in the best position to have our emails delivered in the long term.

Sender reputation

While both blacklists and whitelists are declining in relevance and importance, sender reputation is rapidly becoming the key way of ensuring emails are delivered. Organizations like Return Path provide a service that ranks email senders according to a combination of metrics mixed into a single score that represents the reputation of the sender.

Email administrators and providers can use that rating in their filtering when deciding if an email is legitimate. According to Ken Takahashi of Return Path, the following elements make up a sender reputation:

  • the volume of email you send (and how consistent that volume is)
  • the number and percentage of bounces your emails receive
  • the rate of complaints
  • whether you’re emailing known spam trap addresses (email addresses specifically set up just to catch spam, and never opted into or signed up for anything)
  • longevity of business (how long you’ve been sending)
  • infrastructure (whether you have all the capabilities to handle authentication, bounces, unsubscribes, and the like)

Looking at this list, it’s clear that a quality email service provider is well worth the cost, as there’s a lot of work in maintaining a system that deals with all those areas. A great resource for understanding how sender reputation impacts on deliverability and permission can be found at

Chapter 7

Understanding email authentication

In this chapter, we’ve used the word “permission” to refer to an individual opting in to receive emails from a person or business. There’s also another definition of permission in email, and that is at the mail server level.

Authentication is a way for a domain owner to say, “I give my permission for emails to be sent on my behalf by this mail server.”

Because of the way email was originally built, it’s difficult to prove that an email is actually coming from the person who claims to be sending it. Email authentication fixes this by letting you add some simple information to your domain’s DNS records that define who’s allowed to send email on your behalf.

The authentication standard that ESPs use is DomainKeys/DKIM. It’s important to implement this, if you wish to maintain optimal delivery rates.

All the large ISPs like AOL,, Yahoo, and Gmail are using email authentication as an important layer in deciding whether to allow an email to be delivered. By using authentication, you can instantly bypass some filters, giving your campaigns a better chance of arriving in the destination inbox.

Not only that, but many ISPs, such as Yahoo and, will visually flag your email as authenticated, which helps to build trust between you and your subscribers, improving the chances of your emails being opened. To implement it, you’ll need access to the DNS for the sending domain, so it’s infeasible if you want to apply it to your client’s address. For a corporate domain, adding authentication records (normally given to you by your email service provider) is a great idea.

While your email may still be delivered even if you are not using authentication, ISPs are continually adjusting their spam filtering rules, so it’s worth investigating now for the sake of avoiding issues in the future.

Chapter 7

We’ve gone through a whole chapter and barely once mentioned HTML or CSS, but understanding permission is just as important as your ability to design and build emails.

Every time you take on a new HTML email design job, you need to understand who the audience is, how they agreed to receive the email, and what benefit they’ll derive from it. Avoid the temptation of leaving it until the last minute, because the consequences can be widespread and quite serious.

Join 150,000 companies around the world that use Campaign Monitor to run email marketing campaigns that deliver results for their business.

Get started for free