Email Compliance (CASL)

The One CRM enforces email compliance rules to keep your MSP on the right side of Canada's Anti-Spam Legislation (CASL), CAN-SPAM (US), and GDPR (EU). This page covers what you need to know and how CRM helps.

Why This Matters for MSPs

MSPs send a lot of email — marketing campaigns, prospecting sequences, client updates, and newsletters. CASL violations carry penalties up to $10 million per violation. CAN-SPAM allows $46,517 per non-compliant email. These laws apply when you email contacts in those jurisdictions, regardless of where your MSP is based.

CASL Requirements

CASL is the strictest of the three frameworks. If you comply with CASL, you're generally compliant with CAN-SPAM and GDPR email rules too.

Express vs. Implied Consent

Type	Definition	Duration	Example
Express Consent	The contact actively opted in to receive emails	Indefinite (until withdrawn)	Checked a "subscribe to newsletter" box
Implied Consent	Consent inferred from an existing business relationship	2 years from last transaction, or 6 months from inquiry	Current client, recent quote recipient

⚠️Implied consent has an expiration date. If a prospect inquired 7 months ago and never became a client, their implied consent has expired. You cannot email them without express consent.

How CRM Tracks Consent

Every contact has consent fields that CRM checks before any email send:

Field	Purpose
Consent Status	Opted In, Opted Out, Pending, Unknown
Consent Type	Explicit, Implied, Imported
Consent Date	When consent was recorded
Consent Source	How consent was obtained (web form, trade show, import, etc.)
Country	Used to determine which jurisdiction's rules apply

Enforcement Rules

CRM blocks emails to contacts who:

• Have consent status Opted Out
• Have contact status Unsubscribed or Bounced
• Are on the email suppression list (bounced, complained, or manually suppressed)

These checks happen automatically before every campaign send and every sequence email.

Unsubscribe Handling

CRM automatically includes an unsubscribe link in every bulk email and sequence email.

When a contact clicks Unsubscribe:

1. They're taken to a public preference center page (no login required)
2. Their consent status updates to Opted Out
3. They're immediately removed from all active email sequences
4. Their email address is added to the suppression list
5. The unsubscribe event is logged in the contact's activity timeline

ℹ️CRM processes unsubscribes within seconds. The contact will not receive any further emails from the moment they click unsubscribe.

Suppression List Management

The suppression list is a master blocklist of email addresses that must never receive emails. Addresses are added automatically when:

• A contact clicks unsubscribe
• An email hard-bounces
• A recipient files a spam complaint

Managing Suppressions

• View: Go to Marketing > Email Compliance to see all suppressed addresses
• Import: Upload a CSV of suppressed addresses (e.g., from a previous email system)
• Export: Download the full suppression list as CSV
• Remove: Delete a suppression record (for GDPR erasure or if added in error)

⚠️Removing an address from the suppression list does not re-consent the contact. You still need valid consent before emailing them again.

Complaint Handling

When a recipient marks your email as spam, their email provider sends a complaint notification. CRM handles this automatically:

1. The email address is added to the suppression list with reason Complained
2. The contact's status updates to Unsubscribed
3. All active sequences for this contact are terminated
4. The complaint is logged in the activity timeline

High complaint rates damage your sender reputation. Monitor complaint rates in Marketing > Analytics and investigate any spikes.

Compliance Settings

Configure organization-wide email compliance in Settings > Email Sync:

Setting	Description
Physical Address	Your MSP's mailing address — required by CAN-SPAM in every email footer
Company Name	Display name for the email footer
Default Unsubscribe Reason	Pre-populated reason when processing unsubscribes
CASL Mode	When enabled, enforces express/implied consent checks
GDPR Mode	When enabled, enforces GDPR-basis consent checks

Best Practices for MSP Email Outreach

1. Always get express consent — Don't rely on implied consent for marketing emails. Use web forms, trade show sign-ups, or explicit opt-in checkboxes.
2. Use double opt-in — Send a confirmation email after sign-up. This proves consent and improves deliverability.
3. Segment your lists — Don't blast your entire contact database. Target contacts by industry, role, or interest.
4. Honor opt-outs immediately — CRM handles this automatically, but ensure your team understands never to manually re-add unsubscribed contacts.
5. Clean your lists — Remove bounced addresses promptly. High bounce rates damage sender reputation.
6. Include your physical address — Required by CAN-SPAM in every commercial email.
7. Keep consent records — CRM logs consent date and source. This is your defense if compliance is ever questioned.
8. Review implied consent expiry — Audit contacts with implied consent quarterly and either convert to express or stop emailing.

Next Steps

• Email Sequences — Building compliant automated campaigns
• GDPR Data Erasure — Handling erasure requests
• Contact Management — Managing consent fields on contacts
• Troubleshooting — Common email compliance issues