Email Compliance Checklist for Klaviyo Users

I had a client last year who got their Klaviyo account suspended for 72 hours during their biggest sale week of the year. The reason: compliance violation. They'd imported a list of contacts from a trade show without proper consent documentation, sent a campaign to them, received a spike in spam complaints, and Klaviyo's automated system flagged the account.

Three days of no email during their peak revenue period. Estimated lost revenue: $47,000.

This is what email compliance failure looks like in practice. Not a theoretical fine from a regulatory body (though those exist too). A real, immediate, revenue-destroying consequence from your own email platform.

The thing is, compliance isn't complicated. It's a checklist. Follow it, and you're protected. Ignore it, and you're rolling dice with your email program every time you hit send.

Here's the complete checklist.

Section 1: Account-Level Compliance

These items should be set up once and verified quarterly:

Physical mailing address in every email. Every marketing email must include your physical business address. In Klaviyo, this is configured in Account Settings and automatically inserted into your email footer. Verify it's correct and current.

Requirement: CAN-SPAM, CASL, GDPR How to check: Send a test email from any campaign or flow. Scroll to the bottom. Your physical address should be visible.

Unsubscribe link in every marketing email. Every marketing email must have a visible, working unsubscribe link. Klaviyo adds this automatically, but verify it hasn't been accidentally removed from custom templates.

Requirement: CAN-SPAM, GDPR, CASL How to check: Open any email template. Look for the unsubscribe link in the footer. Click it in a test email to confirm it works.

One-click unsubscribe header. Gmail and Yahoo now require List-Unsubscribe headers that enable one-click unsubscribe directly from the email client interface. Klaviyo adds this automatically to all marketing emails.

Requirement: Gmail/Yahoo sender requirements (enforced since February 2024) How to check: Send a test email to Gmail. In the email, you should see an "Unsubscribe" link at the top near the sender name.

Unsubscribe processing within 10 days. CAN-SPAM requires unsubscribe requests to be honored within 10 business days. Klaviyo processes them instantly (within seconds), so this is handled automatically.

How to check: Subscribe with a test email, then unsubscribe. Verify you don't receive the next campaign.

Authentication records (SPF, DKIM, DMARC). Your sending domain must have proper authentication records configured. This isn't just compliance — ISPs increasingly reject or spam-filter unauthenticated emails.

Requirement: Gmail/Yahoo sender requirements, general best practice How to check: In Klaviyo, go to Settings, then Domains. Your sending domain should show "Verified" status for both SPF and DKIM. Check DMARC separately using MXToolbox.

Section 2: Consent and Opt-In

All subscribers have documented consent. You must be able to prove that every person on your marketing list actively opted in to receive emails from you.

Requirement: GDPR (strict), CASL (strict), CAN-SPAM (permissive — opt-out model) How to check: In Klaviyo, check the "Consent" section of random profiles. Each should show the source of consent (form submission, Shopify checkout, import with consent documentation).

Double opt-in enabled for GDPR markets. If you have subscribers in the EU or UK, double opt-in (confirmation email) provides the strongest consent documentation.

Requirement: GDPR best practice (not strictly required but strongly recommended) How to check: Go to your list settings in Klaviyo. Check if double opt-in is enabled for lists that contain EU/UK subscribers.

Consent checkbox on Shopify checkout is optional (not pre-checked). Under GDPR, consent checkboxes must not be pre-checked. The customer must actively check the box to consent to marketing.

Requirement: GDPR How to check: Go through your own checkout process. The marketing consent checkbox should be unchecked by default.

SMS consent collected separately from email consent. SMS marketing requires separate, explicit consent (TCPA). Email consent does not cover SMS.

Requirement: TCPA How to check: Review your signup forms. If you collect both email and SMS, each should have its own consent mechanism.

No purchased or rented lists. Purchased email lists are non-compliant under GDPR and CASL, and will destroy your deliverability even under CAN-SPAM (which technically allows them but ISPs don't).

Requirement: GDPR, CASL, best practice How to check: If anyone on your team has ever imported a list that wasn't collected through your own forms or checkout, investigate the source.

Section 3: Content Compliance

Sender name is identifiable. The "From" name must clearly identify you or your business. The recipient should be able to tell who sent the email without opening it.

Requirement: CAN-SPAM How to check: What shows as the sender in your recipients' inboxes? "GOSH Digital" or "Mark from GOSH Digital" is fine. A person's name alone with no brand context could be misleading.

Subject lines are not deceptive. Subject lines must relate to the actual content of the email. You can't use "Re:" to imply a reply, or "Your order" when there's no order.

Requirement: CAN-SPAM How to check: Review recent campaign subject lines. Would a reasonable person feel misled after opening the email?

Commercial nature is disclosed (when required). If the email is an advertisement, it should be identifiable as such. Klaviyo's default footer includes "You received this email because you signed up for marketing messages from [Brand]" — this satisfies the requirement.

Requirement: CAN-SPAM How to check: Look at your email footer. Is there clear language indicating why they received this email?

Transactional emails don't contain primarily marketing content. Order confirmations, shipping notifications, and account alerts are "transactional" and can bypass marketing suppression. But they can't be primarily promotional. A transactional email can include a small cross-sell section, but its primary purpose must be informational.

Requirement: CAN-SPAM, general compliance How to check: Review your transactional flow emails. Is the transactional information (order details, shipping info) the primary content? Is any marketing content secondary and small?

Section 4: List Management

Bounced addresses are suppressed. Hard bounced email addresses should never receive subsequent emails. Klaviyo handles this automatically — hard bounces are immediately suppressed.

How to check: In Klaviyo, hard bounced profiles show a "suppressed" consent status. Verify you don't have any workarounds that re-subscribe bounced addresses.

Spam complaints are suppressed. Profiles that mark your email as spam must be suppressed immediately. Klaviyo does this automatically.

How to check: Same as above — spam complaint profiles should show "suppressed" status.

Inactive subscribers are managed. While not a legal requirement, cleaning your list of inactive subscribers (no engagement in 90-180 days) protects deliverability and keeps you in compliance with ISP expectations.

How to check: Do you have a sunset flow that suppresses long-term inactive subscribers? If not, build one.

Suppression list is imported from previous ESP. If you migrated to Klaviyo from another platform, all previously unsubscribed/bounced/complained addresses must be imported as suppressed.

Requirement: Legal compliance (re-emailing someone who opted out is a violation) How to check: If you ever migrated ESPs, confirm that the old suppression list was imported.

Section 5: International Compliance

CASL compliance for Canadian subscribers. CASL requires express consent (active opt-in) before sending commercial email to Canadian recipients. Implied consent exists for existing customers but expires after 24 months.

How to check: Are Canadian subscribers explicitly opted in? Are customers over 24 months since last purchase still receiving marketing without re-consent?

GDPR data subject rights. EU/UK subscribers have the right to access their data, correct it, and request deletion. You must be able to fulfill these requests within 30 days.

How to check: Do you have a process for handling data access and deletion requests? Can you export and delete a profile from Klaviyo within 30 days of a request?

Data Processing Agreement with Klaviyo. GDPR requires a DPA between you (data controller) and Klaviyo (data processor).

How to check: In Klaviyo's account settings, verify that the DPA is signed. If not, sign it.

Section 6: Gmail/Yahoo Sender Requirements (2024+)

In early 2024, Gmail and Yahoo implemented new sender requirements. Non-compliance results in emails being blocked or spam-filtered.

Spam complaint rate below 0.3%. Gmail requires senders to maintain a spam complaint rate below 0.3%. Below 0.1% is the recommended target.

How to check: Google Postmaster Tools shows your spam rate. Monitor weekly.

SPF and DKIM authentication passing. Both must be properly configured and passing for your sending domain.

How to check: In Klaviyo, domain verification status. In Postmaster Tools, authentication dashboard.

DMARC policy published. Your domain must have a DMARC record (even p=none is acceptable for compliance, though p=quarantine or p=reject is better for security).

How to check: Use MXToolbox to check for a DMARC record on your sending domain.

Valid forward and reverse DNS records. Your sending IPs must have valid PTR records. Klaviyo handles this for their shared IPs and dedicated IPs.

How to check: Generally handled by Klaviyo. If you're on a dedicated IP, confirm with Klaviyo support.

The Quarterly Audit Process

Every quarter, run through this compressed version:

1. Send test email from a campaign and a flow. Verify address, unsubscribe link, and sender name are correct.
2. Check 5 random profiles for consent documentation.
3. Verify domain authentication status in Klaviyo settings.
4. Check Google Postmaster Tools for spam rate and reputation.
5. Run DMARC check on MXToolbox.
6. Review any list imports from the past quarter for consent documentation.
7. Confirm sunset flow is active and suppressing non-engaged profiles.
8. Review transactional emails for marketing content creep.

Total time: 30 minutes. Protection value: the entire revenue your email program generates.

Compliance isn't the exciting part of email marketing. But it's the foundation that everything else depends on. Follow the checklist, audit quarterly, and you'll never have to explain to your accountant why email revenue went to zero for three days during Black Friday.

---

Want us to audit your Klaviyo account for compliance risks? Book a free strategy call and we'll check every box on this list for your account.