Email Compliance Checklist

Pull the segment definition from the MAP (HubSpot, Marketo, Klaviyo) and confirm each contact has a documented opt-in source and timestamp. Purchased lists, scraped addresses, and contacts older than 24 months without engagement should be excluded before the send.

GDPR (EU/EEA/UK) and CASL (Canada) require express opt-in; CAN-SPAM (US) is opt-out. Filter the list by country and confirm each region's contacts have the matching consent basis. A single nurture sequence cannot cover all three regimes without separate consent flows.

For EU/UK/Canadian contacts, export consent records showing the lawful basis (consent, legitimate interest, or contract), the date, the wording shown at capture, and the source form. Cookie-banner "accept all" does not constitute marketing-email consent. Attach the export to the run.

The unsubscribe mechanism must be clear and conspicuous, function for at least 30 days after send, and require no login or fee. Test the link end-to-end in the staging preview before approval.

CAN-SPAM requires a valid physical postal address — street address, registered PO box, or commercial mail-receiving agency. A virtual office without registration does not qualify. Confirm the address matches the entity that controls the email content.

Header information must accurately identify the sender. The subject line must reflect the content — no clickbait that misrepresents the body. Reply-To must route to a monitored mailbox, not a no-reply alias for promotional messages.

Run the sending domain through EasyDMARC or MXToolbox. SPF should include the ESP's sending IPs, DKIM should sign with a 1024-bit or 2048-bit key, and DMARC should be at p=quarantine or p=reject for Gmail/Yahoo bulk-sender requirements. A pass on all three is required before broadcast.

Open a ticket with IT or the DNS owner; common fixes are SPF flattening when the lookup limit is exceeded, adding a missing DKIM CNAME from the ESP, or moving DMARC from p=none to p=quarantine. Re-run the validator and hold the send until all three records pass.

Seed test the rendered email across Gmail, Outlook (desktop and 365), Apple Mail, and Yahoo. Check inbox vs. promotions vs. spam placement and confirm dark-mode rendering. Outlook desktop is the most common breakage point for hybrid CSS layouts.

Click every CTA, header link, and footer link from the staging preview. Confirm utm_source, utm_medium, and utm_campaign match the team's UTM convention document so GA4 reporting stays comparable across campaigns.

More than half of opens happen on mobile. Confirm tap targets are at least 44px, text scales to body width, and the preheader displays correctly in iOS Mail and Gmail Android. Run through Litmus or Email on Acid device previews.

Run a copy edit pass for grammar and house style. Any performance, comparative, or testimonial claim needs a substantiation file under FTC Endorsement Guides and the Lanham Act. Flag any claim missing backing for legal before approval.

Approvals collected in Slack DMs are not compliance documentation. Use the MAP's review workflow or attach signed approval records to this run. Brand reviewer signs off on voice and visual identity; legal signs off on disclosures and substantiation.

Send to a 5-10% sample first, monitor bounce and complaint rates for 30-60 minutes, then release to the remainder. For lists over 100K, split across the warmest segments first to protect IP reputation.