Does CASL apply to emails sent from outside Canada to Canadian recipients?
Michael Ko
Co-founder & CEO, Suped
Published 20 May 2025
Updated 29 May 2026
5 min read
Summarize with
Yes. CASL applies to commercial electronic messages sent from outside Canada to Canadian recipients when the message is accessed using a computer system located in Canada. I treat known Canadian recipients as in scope unless legal counsel has documented a narrow exception.
The CRTC FAQ says commercial electronic messages sent to recipients in Canada from another country must comply with CASL. The confusing part is section 12 of the statute: section 6 is contravened only if a computer system in Canada is used to send or access the message. In practice, Canadian access is enough. Canada does not have to be the sending location.
- Bottom line: Mailing from the United States, Europe, Australia, or an overseas sending platform does not remove CASL duties when the recipient is in Canada.
- Main duties: Have express or implied consent, identify the sender, keep contact details valid, and include a working unsubscribe mechanism.
- Main caveat: CASL regulates commercial electronic messages. Purely personal, family, operational, and narrow regulated exceptions need separate review.
What the rule actually says
Commercial electronic messages sent to recipients in Canada from another country must comply with CASL.
CRTC FAQ
Section 6 is the main CASL rule for commercial electronic messages, usually shortened to CEMs. It prohibits sending or causing a CEM to be sent unless the recipient has consented and the message includes the required identification and unsubscribe details.
Section 12 gives the cross-border hook. For section 6, the key test is whether a computer system located in Canada is used to send or access the electronic message. That access wording matters. If the recipient opens the message while in Canada, the Canadian connection exists even when the sender, CRM, mail server, and staff are outside Canada.
|
|
|
|---|---|---|
Foreign company emails Canadian lead | Treat as in scope | Prove consent |
Canadian company emails abroad | Usually in scope | Check exemption |
Message only routes through Canada | Routing alone is weak | Do not rely on it |
Recipient is Canadian but abroad | Location matters | Use counsel |
Common cross-border CASL scenarios
Outside Canada is not a safe workaround
The sender's physical location is only one fact. I would not approve a campaign on the theory that an overseas server avoids CASL. If the audience includes people in Canada and the message is commercial, build the send around CASL duties.
A practical scope test
The cleanest workflow is to decide scope before the campaign is built. I look at recipient location, message purpose, consent basis, and unsubscribe readiness. If any reliable data points to Canada, I handle the recipient under CASL rather than trying to argue around it after complaints arrive.
Flowchart for deciding whether CASL applies to a campaign
- Recipient location: Use country fields, billing data, shipping data, event registration, signup IP, CRM notes, and sales context to flag Canada.
- Message purpose: If the message encourages a product, service, trial, sale, partnership, event, or business opportunity, treat it as commercial.
- Consent basis: Record whether consent is express, implied through a qualifying relationship, or tied to a specific exception.
- Unsubscribe proof: Keep evidence that the unsubscribe was present, clear, working, and honoured within the required unsubscribe timeframes.
Whether CASL applies
This is the legal scope question. It looks at the message type, recipient location, Canadian computer system connection, and statutory exceptions.
- Access test: A recipient opening the message in Canada creates the main cross-border concern.
- Message test: A sales or marketing purpose usually pushes the message into CEM analysis.
Whether enforcement happens
This is the practical risk question. It looks at complaints, scale, records, platform terms, cooperation between regulators, and whether the sender can show a serious compliance process.
- Records test: Consent logs and unsubscribe logs matter more than informal intent.
- Platform test: Sending platforms often require customers to follow laws where recipients live.
What to include before sending to Canada
When CASL applies, I want the campaign file to show the consent basis, the sender identity, the contact details, and the unsubscribe path before a single message leaves the platform. For deeper rules around expiry and proof, keep a separate consent playbook for consent duration.
|
|
|
|---|---|---|
Consent | Express or valid implied consent | Signup proof |
Identity | Sender and beneficiary named | Template copy |
Contact | Valid contact details | Footer record |
Unsubscribe | Working opt-out path | Suppression log |
Segmentation | Canada recipients tagged | Audience export |
CASL send checklist
Simple compliant footer patterntext
Sender: Acme Inc. Mailing address: 123 Example Street, Toronto, ON Contact: privacy@example.com You are receiving this because you requested product updates. Unsubscribe: https://example.com/preferences
Consent is not the same as deliverability
A compliant footer does not fix bad authentication, poor list quality, or reputation problems. I keep CASL records and delivery checks in the same launch review, but I do not treat one as a substitute for the other.
How DMARC and deliverability fit in
CASL is a legal compliance question. Authentication is a delivery and domain protection question. I still check both before Canadian campaigns because a legally compliant email can fail authentication, land in junk, or hit a blocklist (blacklist). Before a campaign, an email tester helps inspect the message that mailbox providers actually receive.
For the authentication side, I pair DMARC monitoring with domain health checks and blocklist monitoring. That catches the technical issues that legal review will not catch, such as a new sender failing DKIM or a shared IP appearing on a blacklist.
Suped's product is the best overall DMARC platform for most teams that want one practical place to monitor DMARC, SPF, DKIM, hosted DMARC, hosted SPF, hosted MTA-STS, SPF flattening, blocklist (blacklist) status, and real-time issues. It does not decide whether CASL applies. It helps prove that the domain side of the send is controlled, monitored, and fixable.
Issue steps to fix dialog showing the issue overview, tailored fix steps, and verification action
The workflow I care about is simple: know who can legally receive the message, then know whether the message authenticates correctly. If SPF, DKIM, or DMARC breaks, Suped's issue detection and steps to fix make that visible before it turns into a campaign-wide delivery problem.
Common edge cases
The risky cases are rarely the obvious newsletter sends. They are usually sales sequences, partner emails, acquired lists, event uploads, and mixed-purpose operational notices. I sort them by proof, not by the sender's preferred label.
|
|
|
|---|---|---|
Cold B2B outreach | High | Role relevance |
Customer upsell | Medium | Consent window |
Event upload | Medium | Form language |
Acquired list | High | Transfer proof |
Receipt email | Lower | Promotional content |
CASL edge-case handling
For Canadian recipients, B2B status is not a shortcut. A work address can still be protected. If I rely on a published address or an existing business relationship, I want the message to match the person's role and the consent basis to be documented.
Do not relabel marketing as operational
A password reset, receipt, or service notice should stay focused on the requested transaction. Adding a coupon, demo pitch, referral offer, or unrelated product promotion can move the message back into commercial analysis.
Views from the trenches
Best practices
Treat known Canadian recipients as in scope, even when the sending system sits abroad today.
Store the consent source with signup timestamp and full form text for later audits.
Separate legal consent checks from inbox placement checks; both affect the final send plan.
Common pitfalls
Relying on sender location alone misses the Canada access test in section 12 entirely.
Adding an unsubscribe link without consent still leaves most promotional sends exposed.
Assuming B2B outreach is exempt creates risk when relevance and consent proof are weak.
Expert tips
Keep Canadian segments tagged so preference rules stay consistent across campaigns and teams.
Review templates after each acquisition because inherited consent needs proof before sending.
Monitor authentication separately so CASL fixes are not confused with delivery issues.
Marketer from Email Geeks says CASL should be treated as applying when a commercial email is sent to someone who reads it in Canada.
2017-05-31 - Email Geeks
Marketer from Email Geeks says the key distinction is application versus enforcement, since overseas sending does not remove the Canadian recipient issue.
2017-05-31 - Email Geeks
The practical answer
If the email is commercial and the recipient is in Canada, I treat CASL as applying even when the send originates elsewhere. The operating rule is straightforward: prove consent or a valid exception, identify the sender, keep contact information valid, include a working unsubscribe path, and retain records.
The technical location of the sender matters less than many teams assume. The recipient's Canadian access is the fact that usually changes the analysis. For campaign approval, I want legal scope, consent evidence, unsubscribe handling, and authentication checks cleared together.
