Email Compliance Checklist

Pull the segment definition from the MAP (HubSpot, Marketo, Klaviyo) and confirm each contact has a documented opt-in source and timestamp. Purchased lists, scraped addresses, and contacts older than 24 months without engagement should be excluded before the send.

GDPR (EU/EEA/UK) and CASL (Canada) require express opt-in; CAN-SPAM (US) is opt-out. Filter the list by country and confirm each region's contacts have the matching consent basis. A single nurture sequence cannot cover all three regimes without separate consent flows.

For EU/UK/Canadian contacts, export consent records showing the lawful basis (consent, legitimate interest, or contract), the date, the wording shown at capture, and the source form. Cookie-banner "accept all" does not constitute marketing-email consent. Attach the export to the run.

Apply the global suppression list across every sending platform — including any reps doing manual sends from their own address book. CAN-SPAM requires opt-outs honored within 10 business days; suppressing across platforms is the most common gap.

The unsubscribe mechanism must be clear and conspicuous, function for at least 30 days after send, and require no login or fee. Test the link end-to-end in the staging preview before approval.

CAN-SPAM requires a valid physical postal address — street address, registered PO box, or commercial mail-receiving agency. A virtual office without registration does not qualify. Confirm the address matches the entity that controls the email content.

Header information must accurately identify the sender. The subject line must reflect the content — no clickbait that misrepresents the body. Reply-To must route to a monitored mailbox, not a no-reply alias for promotional messages.

If the audience includes California residents and the business meets CCPA/CPRA thresholds, include the "Do Not Sell or Share My Personal Information" link in the footer. Same applies for VCDPA, CPA, CTDPA equivalents in other US states the business processes data for.

Run the sending domain through EasyDMARC or MXToolbox. SPF should include the ESP's sending IPs, DKIM should sign with a 1024-bit or 2048-bit key, and DMARC should be at p=quarantine or p=reject for Gmail/Yahoo bulk-sender requirements. A pass on all three is required before broadcast.

Open a ticket with IT or the DNS owner; common fixes are SPF flattening when the lookup limit is exceeded, adding a missing DKIM CNAME from the ESP, or moving DMARC from p=none to p=quarantine. Re-run the validator and hold the send until all three records pass.

Seed test the rendered email across Gmail, Outlook (desktop and 365), Apple Mail, and Yahoo. Check inbox vs. promotions vs. spam placement and confirm dark-mode rendering. Outlook desktop is the most common breakage point for hybrid CSS layouts.

Pull the last 30 days from Google Postmaster Tools and the ESP reputation dashboard. Gmail bulk-sender rules require complaint rate under 0.3% (ideally under 0.1%). If reputation is degraded, reduce send volume or run a re-engagement campaign before this broadcast.

Click every CTA, header link, and footer link from the staging preview. Confirm utm_source, utm_medium, and utm_campaign match the team's UTM convention document so GA4 reporting stays comparable across campaigns.

More than half of opens happen on mobile. Confirm tap targets are at least 44px, text scales to body width, and the preheader displays correctly in iOS Mail and Gmail Android. Run through Litmus or Email on Acid device previews.

Run a copy edit pass for grammar and house style. Any performance, comparative, or testimonial claim needs a substantiation file under FTC Endorsement Guides and the Lanham Act. Flag any claim missing backing for legal before approval.

Click the primary CTA from the staging email and watch GA4 DebugView. The conversion event should fire on actual submit or purchase, not on email-blur or page-view. A misfiring event distorts attribution and budget allocation downstream.

Approvals collected in Slack DMs are not compliance documentation. Use the MAP's review workflow or attach signed approval records to this run. Brand reviewer signs off on voice and visual identity; legal signs off on disclosures and substantiation.

Send to a 5-10% sample first, monitor bounce and complaint rates for 30-60 minutes, then release to the remainder. For lists over 100K, split across the warmest segments first to protect IP reputation.

Watch the ESP dashboard for hard bounce rate over 2%, complaint rate over 0.1%, or unsubscribe rate over 0.5%. Any spike triggers an incident review — pause follow-up sends until root cause is identified.