Every Email & SMS Compliance Audit check

CAN-SPAM §5, GDPR Art. 21, and Gmail/Yahoo's 2024 bulk sender requirements all mandate a working one-click unsubscribe path — RFC 8058 specifically requires both the `List-Unsubscribe` and `List-Unsubscribe-Post` headers plus a POST endpoint. Missing either header or burying the body link in illegible gray text is a direct regulatory violation that exposes the business to FTC enforcement action and causes Gmail to route bulk sends to spam, tanking deliverability for every user on the list. The business impact compounds: a single CAN-SPAM complaint can trigger an FTC investigation; a spam classification tanks open rates across the entire subscriber base.

Why this severity: Critical because missing unsubscribe headers violates CAN-SPAM §5, GDPR Art. 21, and 2024 Gmail/Yahoo bulk sender policy simultaneously, risking FTC enforcement and domain-level spam classification that destroys deliverability for all users.

CAN-SPAM §5(a)(4) requires opt-out requests be honored within 10 business days, but queuing the request for batch processing is the wrong implementation — the correct baseline is immediate synchronous suppression at the moment the user opts out. A 24-hour queue window means opted-out users keep receiving emails throughout that window, creating both a legal violation and a genuine user harm. GDPR Art. 7(3) reinforces this: the right to withdraw consent must be as easy as giving it, and any delay between withdrawal and cessation of processing is difficult to defend. CCPA §1798.120 grants a similar opt-out right with no delay tolerance.

Why this severity: High because delayed opt-out processing directly violates CAN-SPAM §5(a)(4) and GDPR Art. 7(3), and every email sent during the gap is an independently actionable violation.

CAN-SPAM §5(a)(4) requires unsubscribe mechanisms remain functional for at least 30 days after an email is sent. A token stored in Redis with a 7-day TTL breaks this requirement silently — every email delivered after day 7 contains a link that returns 404 or 410. CWE-613 (Insufficient Session Expiration) captures the pattern: tokens tied to campaigns, Redis TTLs, or short-lived sessions all create a window in which delivered emails become irrevocable but non-actionable, which is the definition of a broken opt-out mechanism under federal law.

Why this severity: Medium because the violation only manifests after the token expiry window passes, but at that point every already-delivered email in inboxes contains a broken unsubscribe link in violation of CAN-SPAM.

TCPA §227(b) imposes strict liability for sending SMS to numbers on the national Do-Not-Call registry or after a STOP reply — penalties run $500–$1,500 per message. Most SMS providers (Twilio, Vonage) auto-honor STOP at the carrier level, but that protection evaporates the moment you switch providers or add a second sending path. Without an inbound webhook that writes opt-out status to your database, the only suppression record lives in a third-party system you don't control. GDPR Art. 7(3) and CCPA §1798.120 add parallel requirements: withdrawal of consent must be honored immediately and must propagate to all processing activities.

Why this severity: High because relying solely on carrier-level STOP handling leaves opted-out numbers unprotected if the provider changes or a second SMS path is added — each message sent to an opted-out number is an independent TCPA violation with statutory damages.

CAN-SPAM §5(a)(4) and TCPA §227 prohibit re-adding users to marketing lists after they have opted out, unless they give fresh affirmative consent. A user import script that upserts with `marketingOptOut: false` for every row silently re-subscribes everyone who previously opted out — this is one of the most common AI-built app violations because the import code is often generated without awareness of the suppression table. GDPR Art. 7(3) is equally explicit: withdrawal of consent must not be overridden by subsequent data operations.

Why this severity: Low because the violation requires a specific write operation (import, sync, or reactivation) to trigger, but when it does, it re-subscribes potentially thousands of opted-out users in a single batch operation.

CAN-SPAM §5(a)(1) prohibits falsified or misleading From, To, Reply-To, and routing headers. Sending from `noreply@sendgrid.net` instead of a verified company domain means recipients see an unfamiliar sender — a common spam signal — and the business has no ownership over the sending reputation. CASL Section 6 imposes the same requirement for Canadian recipients. CWE-290 (Authentication Bypass by Spoofing) covers the technical dimension: when the From domain doesn't match the actual sender, SPF/DKIM alignment fails, DMARC policies reject or quarantine the mail, and domain reputation cannot be established.

Why this severity: Critical because inaccurate From identity simultaneously violates CAN-SPAM §5(a)(1) and CASL S6, fails DMARC alignment which causes bulk delivery failures, and constitutes sender spoofing under CWE-290.

CAN-SPAM §5(a)(2) prohibits subject lines that mislead recipients about the content or subject matter of the message. Prefixing promotional emails with `Re:` or `Fwd:` simulates a reply thread — a pattern FTC enforcement actions have specifically targeted. Using `Action required` or `Your account` for discount offers causes recipients to open under false pretenses, inflates spam complaints when they realize the deception, and permanently damages sender reputation scores. CASL Section 6 imposes parallel requirements for Canadian recipients: deceptive subject lines invalidate the implied consent that commercial email relies on.

Why this severity: High because deceptive subject lines are an explicit FTC enforcement target under CAN-SPAM §5(a)(2) and CASL S6, and high spam-complaint rates from deceived recipients cause domain-level deliverability damage that affects all mail from the sending domain.

CAN-SPAM §5(a)(5)(A) mandates a valid physical postal address in the body of every commercial email — not just on the website, in the email itself. Missing this element is one of the most mechanically detectable CAN-SPAM violations because it requires only inspecting templates, not behavior. CASL Section 6 adds the same requirement for Canadian senders. Unlike consent violations that require evidence of a recipient relationship, a missing address is a strict-liability violation that applies to every commercial email sent without it.

Why this severity: Medium because the violation is strict-liability and affects every commercial email sent, but the business impact is lower than consent or opt-out failures since recipients can still exercise their unsubscribe right.

CAN-SPAM §5(a)(5)(B) requires commercial emails be clearly identified as advertisements unless the recipient gave prior affirmative consent to receive commercial email. Sending promotional content to all registered users — without a separate marketing opt-in — and without any `This is a promotional email` disclosure violates this requirement for every message. GDPR Art. 6 requires a lawful basis for processing; for email marketing to EU users, consent under Art. 6(1)(a) or legitimate interest must be established and documented. ePrivacy Art. 13 adds channel-specific requirements for electronic communications marketing.

Why this severity: Medium because the violation affects every promotional email sent to non-opted-in users, but it is remediated by either adding an opt-in flow or adding a disclosure — both of which are straightforward changes.

TCPA §227(b) and CTIA SMS Guidelines require SMS to be sent from a registered, stable sender identity — in the US, a 10DLC-registered long code, a carrier-approved short code, or a verified toll-free number. Sending commercial A2P SMS from unregistered long codes is no longer permitted under current US carrier requirements: unregistered traffic is filtered or blocked by AT&T, T-Mobile, and Verizon, meaning messages never arrive. Beyond deliverability, unregistered sending signals non-compliance to carriers, increasing the risk that the number is flagged and all future traffic from the same account is throttled.

Why this severity: Low because the primary consequence is deliverability failure rather than a direct regulatory penalty, but carrier filtering makes unregistered commercial SMS functionally inoperable at scale.

TCPA §227(b)(1)(A) imposes strict liability for marketing SMS sent without prior express written consent — $500 per message, trebled to $1,500 per message if the violation is knowing or willful. Collecting a phone number at signup for 2FA and then sending promotional SMS is the canonical TCPA violation: the user consented to one purpose (authentication) and received communications for a completely different purpose (marketing). TCPA class actions are the most expensive class actions in US consumer law; a list of 10,000 numbers with improper consent is a $5M–$15M exposure. GDPR Art. 6(1)(a) and Art. 7 require the same specificity of consent for EU users, and CCPA §1798.120 grants opt-out rights that must be built into the consent flow.

Why this severity: Critical because TCPA imposes strict per-message statutory damages of $500–$1,500 with no cap per campaign, making even a modest marketing SMS send to users with invalid consent a multi-million dollar liability.

GDPR Art. 7 requires that consent be demonstrable — 'freely given, specific, informed, and unambiguous.' Sending marketing email to all registered users with no separate opt-in step fails the 'specific' and 'unambiguous' requirements for EU residents. CASL Section 10 requires either express or implied consent, and implied consent has strict time limits (24 months) and relationship conditions. Beyond legal exposure, no-opt-in flows produce high spam complaint rates because users who didn't choose to receive marketing email treat it as spam — complaint rates above 0.1% cause major providers to throttle or block the sending domain.

Why this severity: High because sending marketing email without an opt-in record violates GDPR Art. 7 for EU recipients and CASL S10 for Canadian recipients, and high resulting spam complaint rates cause domain-wide deliverability damage.

GDPR Art. 7(1) requires that the controller 'be able to demonstrate that the data subject has consented.' TCPA §227 litigation regularly turns on whether the sender can produce a consent record for a specific number. CASL Section 13 requires that senders keep consent records for 3 years after the last commercial message. CWE-778 (Insufficient Logging) captures the technical gap: without a timestamped, source-tagged consent log, you cannot respond to a regulator's demand for proof of consent, a court's discovery request, or a user's GDPR access request. A `marketingOptIn: true` boolean with no supporting record is legally worthless.

Why this severity: Medium because the absence of consent records doesn't immediately cause harm to users, but it makes the business unable to defend any enforcement action or litigation arising from marketing communications.

GDPR Art. 7(2) is explicit: 'the request for consent shall be presented in a manner which is clearly distinguishable from the other matters' and pre-ticked boxes do not constitute valid consent. The CJEU (Planet49 case, 2019) confirmed that pre-checked boxes are unlawful under ePrivacy Art. 13(2) for EU residents. Beyond EU law, a server-side handler that defaults `marketingOptIn` to `true` when the checkbox isn't submitted silently opts in users who never saw the checkbox — this is a dark pattern that generates high spam complaint rates and undermines any claimed consent basis under CAN-SPAM.

Why this severity: Low because the violation requires EU users to be on the receiving list and a regulator to investigate, but it invalidates all consent claimed for those subscribers if challenged, requiring re-permission campaigns.

GDPR Art. 7 requires consent to be 'specific' — consent for email marketing does not cover SMS marketing, and a single `marketingOptIn` boolean that authorizes all channels conflates legally distinct consent decisions. TCPA §227(b)(1)(A) requires 'prior express written consent' specifically for SMS, which is a higher bar than CAN-SPAM email consent. ePrivacy Art. 13 applies channel by channel. Practically: a user who opts into email newsletters may not want SMS promotions — collapsing both into one flag generates TCPA exposure on every marketing SMS sent to users who only checked the email box.

Why this severity: Low because the violation requires both email and SMS marketing to be active simultaneously, but when it is, every marketing SMS sent without separate SMS consent is an independent TCPA violation.

CAN-SPAM §5(a)(1) prohibits false or misleading header information. Header injection (CWE-93, OWASP A03 Injection) occurs when user-supplied values — a display name from a profile, a subject template, a reply-to address — are interpolated into email headers without stripping `\r\n\0` characters. A malicious value like `Alice\r\nBcc: attacker@evil.com` added to the From display name injects a Bcc header, silently copying every email to an attacker-controlled address. This is both a CAN-SPAM violation (falsified headers) and a data exfiltration vector for transactional emails containing sensitive content (receipts, password resets, order confirmations).

Why this severity: Low because exploiting header injection requires a user to control a profile field that reaches an email header, but the potential impact includes bulk email exfiltration and strict-liability CAN-SPAM violations for every affected message.

CAN-SPAM §5 defines transactional email (password resets, receipts, security alerts) as exempt from its commercial email requirements — but that exemption disappears the moment promotional content is added to a transactional template. Injecting a 'You might also like' banner into an order confirmation reclassifies the entire message as commercial, requiring unsubscribe compliance that transactional flows typically lack. Beyond compliance, mixing the two in a single code path destroys the deliverability benefit of keeping transactional mail on dedicated IP streams: a complaint on a promotional email poisons deliverability for password resets on the same IP pool.

Why this severity: Info because the impact is primarily deliverability degradation and potential regulatory reclassification rather than a direct violation — the severity escalates if promotional content is added to transactional templates.

CTIA SMS Guidelines and carrier requirements mandate that SMS opt-in forms disclose message frequency — either as a specific count ('up to 4 messages per month') or a general disclosure ('message frequency varies'). Carriers validate opt-in flows during 10DLC campaign registration and will reject or throttle campaigns whose opt-in language is non-compliant. The confirmation SMS sent immediately after opt-in is the carrier's primary verification that the subscriber intended to opt in — omitting frequency and STOP instructions from that message is a registration failure point that can cause a 10DLC campaign to be denied.

Why this severity: Info because the primary consequence is carrier registration rejection or campaign denial rather than a direct legal penalty, though it blocks all commercial SMS sending until resolved.

CAN-SPAM §5(a)(4), GDPR Art. 21, and CCPA §1798.120 all require that opt-out requests result in permanent cessation of marketing communications. Tracking opt-out status only as a boolean on the user record — rather than in a dedicated suppression table — creates a structural fragility: account reactivation, user import, or a provider migration can silently re-subscribe opted-out addresses. A dedicated suppression table that is append-only and provider-agnostic survives provider changes, list exports, and bulk data operations without losing the opt-out record.

Why this severity: Info because the gap only causes harm if a specific data operation (provider migration, import, account reactivation) coincides with the missing suppression table — but that event, when it occurs, re-subscribes all opted-out users simultaneously.

CAN-SPAM §5(a)(1) prohibits falsified routing information; proper SPF, DKIM, and DMARC configuration is how receiving servers verify that routing headers are accurate. Gmail and Yahoo's 2024 bulk sender requirements mandate SPF and DKIM authentication plus a DMARC policy for senders sending more than 5,000 emails per day — without it, bulk sends are rejected or spam-foldered at the domain level. CWE-290 (Authentication Bypass by Spoofing) applies: without DMARC, anyone can spoof your sending domain, sending phishing emails that appear to come from your business. NIST SP 800-53 SC-8 (Transmission Confidentiality and Integrity) covers the integrity dimension.

Why this severity: Info because authentication failures primarily cause deliverability problems and phishing exposure rather than direct legal violations — but without DMARC, domain spoofing is trivially easy and Gmail bulk sender rejection blocks all marketing email.