Most CAN-SPAM advice stops at the rules: use honest headers, include a real address, give people a working opt-out, honor it within 10 business days. That's the easy half. The harder half — the one almost nobody talks about — is proof. If a merchant complains, a state attorney general asks questions, or you simply need to answer a client's due-diligence checklist, 'we follow the rules' is worth nothing without records that show it.
This is where cold email compliance records come in. Compliance is a thing you do; an audit trail is how you prove you did it. In merchant cash advance — the most spam-complained-about industry online, running mail across hundreds of domains and inboxes — the odds that someone eventually asks you to account for a specific message are not small. The shops that sleep well are the ones who can pull up exactly who they emailed, when, from what address, with what opt-out, and exactly when each unsubscribe took effect.
One note before we start: this is a plain-English overview of record-keeping, not legal advice. CAN-SPAM doesn't prescribe a specific retention schedule, states layer on their own rules, and your situation may have wrinkles this post can't cover. Treat what follows as a practical framework and confirm your specifics with qualified counsel.
Why records matter more than the rules themselves
Here's the uncomfortable reality: in a dispute, the burden of showing you did the right thing tends to fall on you. A merchant who claims they unsubscribed and kept getting email, a client auditing the partner sending on their behalf, a regulator following up on a complaint — none of them can see inside your sending system. They see what you can produce. If you can produce a timestamped record showing the opt-out came in on Tuesday and the merchant was suppressed across every domain by Wednesday, the conversation is over in a sentence. If you can't, your word is the only evidence, and your word isn't a record.
Per-email penalties make the stakes concrete. CAN-SPAM violations are assessed per message, and at MCA volume a single unproven mistake isn't one problem — it's potentially thousands. Good records don't just defend you after the fact; they're also how you catch a drifting process before it becomes a pattern. The same logs that prove compliance to an outsider are the ones that tell you, internally, that a sending account stopped checking the suppression list. Records are both a shield and an early-warning system.
Opt-out and suppression records: the ones that matter most
If you keep nothing else, keep these. The single most common cold-email dispute is a merchant insisting they asked to be removed and kept hearing from you — and the only thing that resolves it cleanly is a record. For every opt-out, you want to capture when the request arrived, through what mechanism (one-click header, in-body link), and the moment it actually took effect in your system. That timestamp is what proves you honored the request inside the 10-business-day window the law allows — ideally far inside it.
Then there's the suppression list itself: the master 'do-not-email' record every sending domain and inbox checks before it sends. Its value as evidence is that it's cumulative and permanent. An opt-out is forever, so the list has to carry every past unsubscribe forward into every future nurture set — and the list's history is your proof that it did. At MCA scale the critical thing to be able to demonstrate isn't just that you logged the opt-out, but that suppression propagated everywhere: one unsubscribe, suppressed across all hundreds of domains and inboxes, not just the one the merchant happened to reply to.
- The timestamp each opt-out request was received, and through which mechanism.
- The timestamp suppression actually took effect — your proof of the 10-business-day window.
- The suppression list itself, retained as a permanent, cumulative record.
- Evidence that an opt-out propagated across every sending domain and inbox, not just one.
Sending logs: who you emailed, when, and from where
Opt-out records prove what you stopped doing; sending logs prove what you did. A usable log ties each commercial message to a recipient, a date and time, and the sending identity — the specific domain and inbox it went out from. That's what lets you reconstruct a campaign months later and answer the only question that ever really gets asked: did this particular merchant get emailed after they asked you to stop?
Sending logs are also where compliance and deliverability records overlap, because the same data that defends you legally is the data that runs your program. Logs let you cross-reference a send against the suppression list to confirm no suppressed merchant slipped through, spot a domain that's misbehaving, and demonstrate that volume was spread the way a legitimate sender spreads it — across many inboxes rather than one inbox blasting. Retain them long enough to outlast the window in which a complaint could plausibly surface; a conservative retention period is cheap insurance against an expensive 'prove it' moment.
Content, headers, and the physical address you used
Honoring opt-outs is only part of compliance — the message itself has to have been compliant when it left, and you should be able to show what it looked like. Keep a record of the actual content you sent: the campaign templates, the subject lines, and the footer that carried your ad disclosure, unsubscribe link, and physical postal address. Because MCA cold email is randomized into countless unique variations to beat the spam filter, you won't archive every individual permutation — but you can and should retain the templates and the rules that generated them, which is what proves the disclosures were present on every message rather than just the first.
Header accuracy deserves its own record. CAN-SPAM requires that 'From,' 'Reply-To,' and routing information honestly identify the sender, and a defensible program can show that the cousin domains it sent from genuinely traced back to the business — registered, authenticated, and never spoofed. Keep documentation of which sending domains belong to which campaign and the physical address that appeared in the footer over time. Addresses change; the record of which valid address was in use during a given period is exactly what you'd be asked to produce if a specific old message were ever questioned.
- Campaign templates, subject lines, and the footer block (ad disclosure + unsubscribe + address).
- The randomization rules that prove disclosures appeared on every variation, not just one.
- Which sending domains were used for which campaigns, and that they honestly identified the sender.
- A history of the valid physical postal address used in each period.
Who sent on your behalf — because you're still liable
The rule MCA brokers most often miss is that outsourcing the sending does not outsource the liability. Under CAN-SPAM, both the business whose offer is promoted and the party actually sending can be held responsible. That means your compliance records can't stop at your own front door — if a marketer emails on your behalf, their practices are part of your exposure, and you should be able to document the relationship.
Practically, that means keeping a record of who you engaged, what they were authorized to send, and, crucially, access to the compliance records they maintain on your behalf — the suppression list, the opt-out timestamps, the sending logs. A provider who treats compliance as a feature can hand you that audit trail on request; a provider who can't produce it is a liability wearing your name. The right partner doesn't just send compliant email — it keeps the records that let you prove the email was compliant, and makes them available to you. That distinction is the whole reason this matters at the partner-selection stage, not after a complaint lands.
How MCA Rocket keeps a compliant audit trail
This is exactly why MCA Rocket treats record-keeping as part of the product, not paperwork bolted on afterward. Every opt-out is captured into a centralized suppression list and honored automatically across every domain and inbox — and because that happens in the infrastructure rather than someone's memory, the timestamps that prove it landed well inside the 10-business-day window come for free. The same system that spreads sending across hundreds of domains keeps the logs that tie each send to a recipient, a time, and a sending identity, so a suppressed merchant can be shown never to have been emailed again.
Just as important: you own all of it. MCA Rocket doesn't sell or share lead data, and a client's leads are kept private indefinitely — so the suppression and sending records that protect you are built around your data and your brand, not pooled with anyone else's. You bring the leads you already own; the platform sends compliant cold email, honest headers and a real physical address on every message, and maintains the suppression and sending records that let you prove it if you're ever asked. That's compliance you can actually defend, not just claim. (Still: this is an overview of record-keeping practice, not legal advice — confirm your specifics with qualified counsel.)
