Skip to content
← BlogStrategy

Built on U.S. anti-spam law: how Norbelys keeps you legal

Norbelys is a U.S. company built around CAN-SPAM and the CCPA. Here's what those laws actually require, the mailbox-provider rules that sit on top of them, and how the platform enforces every line so your outreach stays legal.

By Norbelys Chirinos, Co-founder

Founder-reviewed ·How we research and correct articles

Most cold-email tools treat compliance as a checkbox you tick and forget. We don’t. Norbelys is operated by Xuxil Inc., a Delaware corporation — a U.S. company — and the platform is built around the laws that govern commercial email in the United States. This isn’t legal theater. Those laws draw a clear line between outreach and spam, and staying on the right side of it is the same thing as staying in the inbox.

Here’s what the law actually says, the mailbox-provider rules stacked on top of it, and how Norbelys enforces every one so you don’t have to keep them in your head.

The law that matters: CAN-SPAM

The federal CAN-SPAM Act is the U.S. rulebook for commercial email. It’s short, it’s blunt, and the Federal Trade Commission enforces it with real money — up to $53,088 per violating email under the 2025 penalty adjustment. There’s no “we only sent a few thousand” defense; each message is a separate violation.

CAN-SPAM comes down to a handful of requirements:

  • Don’t lie in the header. Your “from,” “reply-to” and routing information must accurately identify who sent the message.
  • Don’t lie in the subject line. It has to reflect what’s actually in the email.
  • Say it’s an ad, where that applies.
  • Include a valid physical postal address — a street address, a registered P.O. box, or a registered commercial mailbox.
  • Give a working opt-out and honor it. The mechanism has to keep working for at least 30 days, and you must process requests within 10 business days. You can’t charge, require a login, or ask for anything beyond an email address.

There are criminal penalties on top of the civil ones for the aggravated stuff: harvesting addresses off websites, dictionary attacks, or registering accounts and domains with false information. That behavior isn’t a gray area — it’s a crime, and it’s exactly the behavior that gets whole sending platforms blocklisted.

The privacy law: CCPA/CPRA, and why we’re not a data broker

The other side of the coin is data. California’s CCPA, as amended by the CPRA, gives people the right to know what a business collects about them, to delete it, and to opt out of having their personal information sold or shared. Since January 2023 that protection covers people acting in a business capacity too — the old B2B carve-out is gone — so “it’s just work emails” is not a shield.

California also runs a data broker registry: any business that sells personal information about people it has no direct relationship with has to register, disclose, and pay a fee. As of January 2026, Californians can even use a single state platform (DROP) to tell every registered broker to delete their data at once.

Norbelys is not on that registry, and never will be, because we don’t do the thing that puts you on it:

  • We don’t sell your data — not your account, not the contacts you upload.
  • We don’t share your data between customers. Your lists, your copy and your results are isolated to your account at the database layer. No other Norbelys customer can see them.
  • We don’t use your contacts or content to train AI or serve ads.

We sell software that sends your email well. We don’t sell you, and we don’t sell the people you email.

The rules on top of the law: Gmail, Yahoo, Microsoft

Here’s the part that catches people out: staying legal is necessary but not sufficient. Since February 2024, Gmail and Yahoo — and Microsoft through 2025 — enforce their own bulk-sender requirements on anyone sending around 5,000 messages a day. These aren’t laws, but they’re stricter than the law, and they’re what actually decides whether you reach the inbox:

  • Authenticate with SPF, DKIM and DMARC (at least p=none). Mail that fails authentication now gets pre-sorted to junk or rejected outright.
  • One-click unsubscribe in the message header (RFC 8058) for marketing mail.
  • Keep your spam-complaint rate under 0.3% — and realistically under 0.1% if you want reliable placement. Cross that line and the provider stops trusting your domain.

Through late 2025, Gmail moved from “warnings” to real rejections for senders who ignore these. The law tells you what you’re allowed to do; the mailbox providers decide whether it lands.

How Norbelys enforces all of it for you

The point of running a compliant platform is that you don’t have to memorize any of the above. Norbelys builds the rules into the product:

Unsubscribes are automatic and platform-wide. When someone opts out, they’re suppressed instantly across your whole account — not in 10 business days, not “once you remember to update the list.” You can’t accidentally email them again, and you can’t turn that off.

Identity is enforced at send time. We won’t let you send from a mailbox with broken authentication, and the deliverability tooling walks you through SPF, DKIM and DMARC so your headers tell the truth.

We watch the 0.3% line so you don’t cross it. Rising complaints or bounces automatically slow your sending and pause the offending mailbox before your reputation tanks — the same signals the mailbox providers are watching, acted on before they do.

We earn the inbox instead of promising it. Every plan includes warmup: participating mailboxes exchange a small volume of genuine, system-generated messages that get opened, answered and rescued from spam, so providers learn to read your address as a real human. On top of that we run continuous inbox-placement (seed) tests — repeated, measured checks of where your mail is actually landing — and steer the ramp from the results. That warmup network only ever exchanges Norbelys-generated warmup mail; it never touches your contacts or your campaigns.

One honest caveat, because it’s the law of physics for email and it’s in our Terms: nobody can guarantee 100% inbox placement. It also depends on your domain history, your list quality and your copy. Anyone who promises you a guaranteed inbox is lying — the same way anyone who tells you spam is fine as long as the tool “handles it” is lying. What we can do is stack every legal requirement, every provider rule and every reputation signal in your favor, and enforce them automatically.

That’s what “built on U.S. law” means here. Not a disclaimer at the bottom of a page — the actual design of the product.


This post is general information about how Norbelys is built, not legal advice. For how your specific outreach maps to CAN-SPAM, the CCPA or any other law, talk to a qualified attorney.