🤔 Wait, What’s the Big Deal With Cross-Border Email?
So you're a U.S.-based business, and you’ve got some Canadian customers or newsletter subscribers on your email list. You send them updates, offers, onboarding info, and all the usual stuff.
No harm, right?
Well... not unless you're violating Canada’s Anti-Spam Legislation (CASL) — and in 2025, regulators are taking it way more seriously.
⚖️ What Changed in 2025?
A few things:
CASL enforcement has picked up, especially after major spam/phishing attacks targeting Canadian inboxes in early 2025.
U.S. companies are being audited for how they obtain and manage consent.
Privacy regulations globally (think GDPR, CPRA) are tightening, and email laws are overlapping.
If you're not paying attention, you could be sending non-compliant emails to Canadian users — even if your intentions are good.
This article breaks down what you need to know (and do) if you're emailing anyone in Canada.
📌 First, What Is CASL? And Why Should You Care?
CASL (Canada’s Anti-Spam Legislation) is one of the toughest anti-spam laws in the world. It applies to:
Commercial Electronic Messages (CEMs)
Sent to or from a computer in Canada
That promote products, services, or businesses
And yes — this includes emails from your Mailchimp, HubSpot, or Salesforce account to Canadian addresses.
⚠️ Violating CASL = Fines Up to $10M CAD Per Violation
Yeah, you read that right.
There have already been high-profile cases where companies were fined millions for things like:
Not having proper consent
Sending messages with misleading info
Failing to provide an unsubscribe mechanism
🔍 Are You a U.S. Business That Needs to Worry About This?
Ask yourself:
Do you have any Canadian customers or subscribers?
Do you collect leads or sign-ups from Canadian websites or events?
Are you sending automated email flows, onboarding sequences, or newsletters globally?
If you answered yes to any of these — yep, CASL applies to you.
✅ Quick Breakdown: CASL vs. U.S. CAN-SPAM
Feature | CASL (Canada) | CAN-SPAM (U.S.) |
Consent | Required before sending | Can send until they opt out |
Opt-In | Must be express or implied | Not required |
Penalties | Up to $10M CAD per violation | ~$50,000 per violation |
Unsubscribe | Must be easy + processed within 10 days | Same |
Basically, CASL is stricter, especially about how and when you collect consent.
🧠 Key Terms You Should Know
CEM (Commercial Electronic Message): Any email promoting your biz.
Express Consent: User actively opted in (form, checkbox, double opt-in).
Implied Consent: There’s an existing relationship (past customer, inquiry, etc.).
Sender Identification: Your real business name, address, contact info — must be visible in the email.
Unsubscribe Mechanism: Obvious, working, and honored quickly.
🔐 But It’s Not Just About Consent — It’s Also About Email Security
Canadian privacy regulations don’t stop at consent. Your emails should also meet basic email security compliance, especially after the surge of phishing attacks in Q1 2025.
Best practices include:
Setting up DMARC, SPF, and DKIM to prevent spoofing
Using TLS encryption where supported
Not sending sensitive data (like personal health info or tax info) via email
Having a clear security and privacy policy on your site
💡 YourDMARC can help you monitor your domain’s email security posture to stay compliant across borders.
🧪 Real Example: A U.S. Brand Got Flagged in 2025
In February 2025, a U.S. eCommerce company emailed a promotional discount to thousands of Canadian customers who bought from their store in 2022.
They hadn’t emailed those users in over a year — which expired their implied consent window.
Because they didn’t get express opt-in, and there was no working unsubscribe button, the campaign triggered multiple CASL complaints, and an audit followed.
A reminder: CASL’s implied consent expires after 2 years of no interaction — after that, you must stop emailing unless they opt in again.
🛠️ 7 Things You Need to Do If You’re Emailing Canadians in 2025
1. Segment Your List by Country (or Email Domain)
You can’t treat all subscribers the same anymore.
🇨🇦 Canadian emails should be in a separate list or tagged appropriately. That way, you can control what flows go out to whom — and apply CASL-specific logic.
2. Collect Express Consent Proactively
Any time you run a lead form, pop-up, or quiz — include:
A clear checkbox (unchecked by default)
A statement like:
"By subscribing, you agree to receive emails from [Company Name]. You can unsubscribe anytime."
And if possible? Use double opt-in for Canadian subscribers. It’s not required but highly recommended.
3. Track Consent Sources
Keep records of:
When consent was given
How it was given (form, site, webinar)
IP address and timestamp
Use your CRM or email platform to log this info — in case you’re ever audited.
4. Add Proper Identification to Every Email
Your emails should clearly state:
Your business name
A physical mailing address
A working contact method (email or phone)
A visible unsubscribe link (that works for at least 60 days)
5. Use a Compliant ESP (Email Service Provider)
Most big-name ESPs (like Mailchimp, Klaviyo, ActiveCampaign, etc.) support CASL compliance tools — but you have to configure them.
Things to check:
Can you tag contacts by location?
Can you enforce double opt-in?
Can you manage unsubscribes automatically?
6. Implement DMARC, SPF & DKIM for Email Authentication
Canadian ISPs (and users) are extra sensitive to spam, spoofing, and phishing.
By publishing DMARC records and aligning your sending domains, you:
Improve deliverability
Prevent your domain from being spoofed
Signal to regulators that you're playing by the rules
✅ Use YourDMARC to visualize, monitor, and enforce email authentication without breaking your sends.
7. Build a “Re-Consent” Flow
If you’re unsure about some older Canadian contacts on your list — create a re-permission campaign.
Subject line ideas:
“Still Want Our Emails?”
“We’d Love to Stay in Touch 🇨🇦”
“Confirm Your Subscription for Future Updates”
Those who re-opt-in = you’re covered.
Those who don’t? It’s time to part ways (and stay compliant).
🧭 Bonus: Tools to Help With CASL Compliance
Here are a few tools to make this easier:
Tool | What It Does |
YourDMARC | Email authentication and anti-spoofing protection |
Mailchimp / Klaviyo | List segmentation, consent tracking |
👀 TL;DR (Too Long; Didn’t Read)
If you're a U.S. company emailing people in Canada:
✅ You must follow CASL (even if you're not based there)
✅ Express or implied consent is required
✅ Emails must have a working unsubscribe and business info
✅ Implement DMARC, SPF, DKIM for secure delivery
✅ Segment your list and build proper re-consent flows
And if you’re not sure where to start?
👉 Talk to YourDMARC. We’ll help you navigate email security and compliance — without the jargon.
🗂️ Save & Share This Guide With:
📧 Your marketing team
🧑💻 Your developers setting up email infrastructure
⚖️ Your legal or compliance manager
📋 Anyone managing international subscriber data