Statutory Deep Dive

California B&P Code § 17529.5 Defense

Element-by-element analysis of the email anti-spam statute, burden of proof, and defense strategies

2004
Enacted
$1,000
Per Email
4 yr
SOL (CCP § 340)
Back to Email Anti-Spam Hub

Elements Plaintiff Must Prove

Key Distinction: Unlike CAN-SPAM, which broadly regulates unsolicited commercial email, California B&P § 17529.5 specifically targets deception in email headers and routing. A perfectly honest commercial email, even if unsolicited, does not violate this statute.

Element 1: California Nexus (§ 17529.5(a)(2))

The plaintiff must establish that the email was either:

  • Sent FROM California — the email originated from a server, person, or entity located in California; OR
  • Sent TO a California email address — the recipient's email address is registered by or associated with a California resident or California-based service provider.
Defense Angle: Challenge the California nexus. If the sender is out-of-state and the email was sent to a non-California address, the statute does not apply. Examine whether the plaintiff's email account is actually hosted by a California-based ISP or whether the plaintiff resides in California.

Element 2: Prohibited Content (§ 17529.5(a)(2)(A)-(C))

In addition to the California nexus, the plaintiff must prove the email falls into at least one of three prohibited categories:

(A) Falsified, Misrepresented, or Forged Header Information

This is the most commonly alleged violation. The plaintiff must show that the email contained header information that was:

  • Falsified: Header fields contain information that is objectively untrue
  • Misrepresented: Header fields create a false impression of the sender's identity or the email's origin
  • Forged: Header fields were deliberately altered to disguise the true origin of the email
What are "headers"? Email headers include all the technical routing information: the From: field, Reply-To: field, Return-Path:, Received: chain, Message-ID:, and other fields that trace the email's path from sender to recipient. The statute covers all header information, not just what the recipient sees.

(B) Misleading Subject Line

The email contains a subject line that would mislead a reasonable recipient about the contents or subject matter of the message. This is an objective test:

  • Would a reasonable person be misled? (not a sophisticated technologist)
  • The subject line must actually be deceptive about the contents of the email
  • Puffery or marketing language alone is not sufficient — there must be an actual disconnect between the subject and the content
Example Likely Misleading? Analysis
"RE: Your Account" (no prior conversation) Yes Implies a reply to prior correspondence that does not exist
"Urgent: Action Required" (marketing email) Likely Implies urgency regarding an account or obligation that doesn't exist
"50% Off Summer Sale" (actual sale email) No Subject accurately describes the content of the email
"Newsletter: Weekly Product Roundup" No Accurately identifies the email as a newsletter

(C) Third-Party Domain Without Authorization

The email was initiated by use of an email address, domain name, or IP address of a third party without permission of the third party. Key considerations:

  • Authorization must be absent: If the third party consented to the use, this element fails
  • ESP usage is NOT this: Sending through Mailchimp, SendGrid, or other ESPs is done with the ESP's explicit authorization — you are their customer
  • True violations: Hijacking another company's domain in headers, using a compromised third-party server, or inserting someone else's domain in the From: field without permission
Defense Takeaway: If you can demonstrate authorization for every domain and IP address involved in sending the email — through ESP service agreements, SPF records, and DKIM configurations — subsection (C) fails as a matter of law.

Element 3: Commercial Email Advertisement

The email must be a "commercial email advertisement" as defined under the statute. This generally means:

  • The primary purpose is the commercial advertisement or promotion of a product, service, or business
  • Transactional or relationship emails (order confirmations, account updates, shipping notices) are generally excluded
  • Mixed-content emails are evaluated based on the "primary purpose" test

Burden of Proof Summary

Element Plaintiff Must Prove Common Defense
California Nexus Sent from CA or to a CA email address Challenge residency/ISP location
Falsified Headers Specific header fields were falsified or forged SPF/DKIM/DMARC passing proves authenticity
Misleading Subject Reasonable recipient would be deceived Subject accurately describes email content
Unauthorized Domain Third-party domain used without permission ESP service agreement = authorization
Commercial Email Primary purpose is commercial promotion Transactional/relationship email defense

Spoofing vs. Legitimate ESP Routing

This Is the Central Defense Question: Plaintiffs routinely allege "forged headers" when the email was simply routed through a standard Email Service Provider (ESP). Understanding the distinction between actual spoofing and standard email infrastructure is the key to defeating most § 17529.5 claims.

Definition Under the Statute

§ 17529.5(a)(2)(A) targets email that contains "falsified, misrepresented, or forged header information." But the statute does not define these terms with technical precision, which creates the critical battleground for defense.

The defense position: standard ESP email routing is not, and has never been, "spoofing." It is how email works.

How Email Actually Works: ESP Routing

When a business sends email through a legitimate ESP, the email infrastructure works like this:

// What the RECIPIENT sees:
From: marketing@yourbrand.com ← Your brand's domain
Reply-To: marketing@yourbrand.com ← Replies go to YOU
Subject: Summer Collection Now Available

// What the ROUTING HEADERS show:
Return-Path: bounce-id@esp-server.com ← ESP's bounce handler
Received: from esp-mta-04.esp-server.com ← ESP's mail server
DKIM-Signature: d=yourbrand.com; s=esp-key; ← Cryptographic proof
Authentication-Results:
  spf=pass ← yourbrand.com authorized this server
  dkim=pass ← Email verified as unaltered
  dmarc=pass ← SPF and DKIM both align

This is exactly how every major email platform operates. Mailchimp, SendGrid, Hive.co, Constant Contact, HubSpot, Klaviyo, and every other legitimate ESP route email in this manner. The visible From: field shows the sender's domain. The routing infrastructure reflects the ESP. This is not deception — it is standard architecture.

Why ESP Routing Is NOT Spoofing

1. SPF Records Explicitly Authorize the ESP

When a domain owner publishes an SPF record, they are telling the world: "These servers are authorized to send email on my behalf." This is a deliberate, affirmative act of authorization:

yourbrand.com TXT record:
v=spf1 include:espserver.com ~all

// Translation: "espserver.com is authorized to send email for yourbrand.com"

If the receiving mail server checks SPF and it passes, the sending server was authorized to deliver that email. There is no "forgery" — the domain owner explicitly blessed this routing.

2. DKIM Provides Cryptographic Verification

DomainKeys Identified Mail (DKIM) adds a digital signature to each email. The signature can be verified against a public key published in the sender's DNS:

  • The sender's domain publishes a DKIM public key in DNS
  • The ESP signs each outgoing email with the corresponding private key
  • The recipient's mail server verifies the signature against the public key
  • If DKIM passes, the email content has not been altered in transit and the sending domain authorized it
Key Argument: A DKIM-passing email is the opposite of forgery. The sender's domain has cryptographically signed the email. This is the email equivalent of a notarized document — it proves authenticity, not deception.

3. DMARC Alignment Confirms Everything

Domain-based Message Authentication, Reporting & Conformance (DMARC) ties SPF and DKIM together, ensuring alignment with the visible From: domain:

  • SPF alignment: The domain in the Return-Path aligns with the From: domain
  • DKIM alignment: The DKIM signing domain (d=) matches the From: domain
  • DMARC pass: At least one alignment check passes — confirming the email is legitimate

What Actual Spoofing Looks Like

For contrast, here is what genuine email spoofing looks like — the scenario § 17529.5 was designed to address:

// SPOOFED email (what the statute actually targets):
From: support@legitimatebank.com ← FAKE - sender has no connection to this domain
Reply-To: reply-xz29@throwaway.xyz ← Throwaway domain
Return-Path: bounce@random-server.ru ← Completely unrelated server
Authentication-Results:
  spf=fail ← Server NOT authorized by legitimatebank.com
  dkim=none ← No valid signature
  dmarc=fail ← Nothing aligns

Actual Spoofing (Violates Statute)

  • Using a domain you do not own in the From: field
  • SPF fails because the sending server is not authorized
  • No DKIM signature or DKIM fails validation
  • DMARC fails alignment
  • Headers are designed to deceive about the sender's identity

Legitimate ESP Routing (Does NOT Violate)

  • Using your own domain in the From: field
  • SPF passes because you authorized the ESP in DNS
  • DKIM passes with your domain's key
  • DMARC aligns with your domain
  • Routing headers transparently show ESP infrastructure

Case Law Analysis

Balsam v. Trancos (2012)

The court analyzed what constitutes "falsified" headers under § 17529.5. Key holdings:

  • Headers must be actually falsified, not merely routed through a third party
  • The fact that routing headers show an intermediary server does not make them "forged"
  • The court distinguished between deceptive header manipulation and standard email infrastructure

Hypertouch v. ValueClick (2011)

Addressed misleading header analysis in the context of affiliate marketing email:

  • Court examined whether headers "misrepresented" the sender's identity
  • Analyzed the relationship between the advertiser, the affiliate, and the email sender
  • Headers that accurately reflect the sending infrastructure, even through intermediaries, are not inherently "misrepresented"

Asis Internet Services v. Optin Global (N.D. Cal.)

Federal court addressed authentication records as evidence in a § 17529.5 context:

  • Authentication records (SPF, DKIM) are relevant evidence of whether headers were falsified
  • Passing authentication tests supports the defense position that headers are legitimate
  • The court recognized that modern email authentication standards are probative on the question of header integrity
Bottom Line: If SPF passes and DKIM validates, the email infrastructure is working exactly as designed. The sender's domain has explicitly authorized the sending server, and the email's integrity has been cryptographically verified. There is no "forgery" — there is a functioning, transparent, standards-compliant email delivery system.

Standing & Venue Requirements

Standing Is Often Dispositive: Many § 17529.5 cases can be challenged at the threshold by attacking the plaintiff's standing to sue. The statute limits who can bring a claim, and not every person who receives a marketing email qualifies.

Who Can Sue Under § 17529.5

The statute creates a private right of action for two categories of plaintiffs:

1. Electronic Mail Service Providers (ISPs)

  • Definition: An entity that provides email services to end users — hosting email accounts, processing inbound/outbound email
  • Injury theory: The ISP's infrastructure was burdened by processing spam emails
  • Examples: Companies operating mail servers (e.g., hosting providers with email services)
  • Challenge: Verify the plaintiff actually operates as an ISP and was injured in that capacity

2. Actual Recipients

  • Definition: The person who actually received the email at their email address
  • Key requirement: The plaintiff must be the actual recipient, not a downstream party
  • Challenge: Verify the email address actually belongs to the named plaintiff

Standing Challenges: Professional Plaintiffs

Common Pattern: Some serial litigants create email addresses specifically to receive marketing emails, subscribe to lists, then sue when they receive the very emails they solicited. This creates powerful standing and credibility challenges.

Indicators of Professional Plaintiffs

  • Multiple lawsuits: The plaintiff has filed numerous § 17529.5 cases against different defendants
  • Purpose-built email addresses: Email accounts created with no purpose other than receiving marketing email
  • Deliberate subscription: Evidence the plaintiff affirmatively signed up for email lists or used catch-all domains
  • No actual harm: Plaintiff cannot articulate any concrete injury beyond "receiving an email"
  • Boilerplate complaints: Identical or nearly identical complaint language across multiple cases

Key Standing Case Law

Case Holding Defense Application
Balsam v. Tucows Analyzed standing requirements for § 17529.5 plaintiffs; scrutinized whether plaintiff qualified as an ISP or actual recipient Challenge plaintiff's characterization of their role; demand proof of ISP operations or actual receipt
Kleffman v. Vonage Examined recipient standing; addressed whether the plaintiff's use of the email address established standing Probe plaintiff's actual use of the email account; look for manufactured standing

Discovery Into Standing

Defendants should serve early discovery targeting standing issues:

  1. Email account history: When was the account created? What was its purpose? How often is it used?
  2. Subscription records: Did the plaintiff subscribe to email lists? Did they use the address on web forms?
  3. Litigation history: How many § 17529.5 cases has the plaintiff filed? Against how many defendants?
  4. ISP status proof: If claiming ISP standing, what email services do they provide? To how many users?
  5. Actual damages: What concrete injury did the plaintiff suffer from receiving this email?

Venue

Where These Cases Are Filed

  • LASC (Los Angeles Superior Court): If the defendant is in Los Angeles County or the email was sent to an LA-based address
  • Other California Superior Courts: Based on defendant's location or where the email was received
  • Federal Court: If diversity jurisdiction exists (different states, amount in controversy exceeds $75,000) or if federal question jurisdiction is invoked alongside CAN-SPAM claims
Venue Challenge: If the defendant has no connection to the filing county and the email was not sent to an address in that county, file a motion to transfer venue under CCP § 397.

Corporate Defendants: Counsel Required

Critical Rule: A corporation, LLC, or other business entity cannot appear in propria persona (without an attorney) in California unlimited civil court. CCP § 116.540, which permits limited self-representation in small claims court, does not apply to unlimited civil actions.

What This Means

  • If the defendant is a business entity, it must retain a licensed California attorney
  • An officer, director, or owner cannot file an answer or demurrer on behalf of the entity without counsel
  • Failure to appear through counsel can result in a default judgment
  • If the entity cannot afford counsel, it may still face default — inability to pay for a lawyer is not a defense to the requirement

Practical Considerations

Entity Type Can Self-Represent? Notes
Individual / Sole Proprietor Yes Can appear in pro per in unlimited civil
Corporation No Must have licensed counsel
LLC No Must have licensed counsel
Partnership No Must have licensed counsel

Defense Strategies

Defense Roadmap: The following strategies are presented in order of typical priority. The strongest defenses — ESP authentication and CAN-SPAM preemption — should be evaluated first. Procedural motions (sanctions, anti-SLAPP, demurrer) can be deployed in parallel.
1

ESP Authentication Defense

The most powerful defense against § 17529.5(a)(2)(A) "forged header" allegations. If your email was sent through a legitimate ESP with proper authentication, the headers are not forged — they are working exactly as intended.

What you need:

  • SPF records showing the ESP was authorized to send on your domain's behalf
  • DKIM records confirming the email was cryptographically signed by your domain
  • DMARC records showing SPF/DKIM alignment with your From: domain
  • ESP service agreement proving authorization to use their infrastructure
  • Historical DNS records (use archive services) to prove authentication was in place at the time the email was sent

Full ESP Authentication Defense Guide →

2

CAN-SPAM Preemption

Federal CAN-SPAM (15 U.S.C. § 7707(b)) preempts state laws that regulate commercial email. California § 17529.5 survives preemption only through the narrow fraud exception — meaning the statute applies only to falsity and deception, not to regulation of commercial email generally.

Preemption argument structure:

  • CAN-SPAM expressly preempts state laws that regulate "the use of electronic mail to send commercial messages"
  • The fraud exception allows state laws that prohibit "falsity or deception" in email
  • If the plaintiff's claim is really about receiving unsolicited email (not about actual deception), it is preempted
  • Scrutinize the complaint: does it allege actual falsity in headers, or just that the email was unwanted?

Full CAN-SPAM Preemption Analysis →

3

CCP § 128.7 Sanctions Motion

If the complaint lacks factual basis — no actual header analysis, boilerplate allegations, no identification of which specific header was forged — a sanctions motion can be an effective tool to force withdrawal or dismissal.

Requirements:

  • Frivolous allegations: The complaint asserts "forged headers" without analyzing the actual email headers or authentication records
  • No factual investigation: Plaintiff's counsel filed without reviewing SPF/DKIM/DMARC results
  • Safe harbor procedure: You must serve the sanctions motion on opposing counsel and provide a 21-day withdrawal period before filing with the court
  • If plaintiff withdraws: The case goes away without further expense
  • If plaintiff does not withdraw: File the motion with the court and seek fees and costs
Procedural Note: The 21-day safe harbor is mandatory. If you file the sanctions motion with the court without first serving it on opposing counsel and waiting 21 days, the motion will be denied on procedural grounds regardless of merit.
4

Anti-SLAPP Motion (CCP § 425.16)

If the email at issue relates to protected speech — political communications, public interest matters, or speech connected to a public issue — an anti-SLAPP motion can result in early dismissal with a fee award to the defendant.

Applicability:

  • Political campaign emails: Speech in connection with a political campaign or ballot measure
  • Public interest emails: Communications about issues of public concern (health, safety, environment)
  • Nonprofit advocacy: Emails from advocacy organizations about their mission

Procedure:

  • Must be filed within 60 days of service of the complaint
  • Automatic discovery stay while the motion is pending
  • Two-part test: (1) defendant shows claim arises from protected activity; (2) burden shifts to plaintiff to show probability of prevailing
  • If granted, defendant recovers attorney fees and costs
Limitation: Anti-SLAPP is generally not available for standard commercial marketing emails. Courts distinguish between commercial speech and speech on matters of public concern. Use this defense only when the email genuinely involves protected speech.
5

Failure to State a Claim (Demurrer)

If the complaint does not specifically identify which header was "forged" or how it was falsified, the complaint may be subject to demurrer for failure to state facts sufficient to constitute a cause of action.

Grounds for demurrer:

  • Complaint uses only conclusory language ("headers were falsified") without identifying specific headers
  • No allegation of which header field was forged, misrepresented, or falsified
  • No allegation of how the header was deceptive (what was false about it?)
  • Failure to allege the email was a "commercial email advertisement"
  • Failure to allege the California nexus (sent from CA or to a CA address)
Timing: A demurrer must be filed within the same deadline as the responsive pleading (30 days from service). If you demur, you do not also file an answer — the demurrer is the responsive pleading. If the demurrer is overruled, you will have a new deadline to answer.
6

Discovery Into Plaintiff's Filing History

High-volume filers may have credibility issues that undermine their claims. Discovery into the plaintiff's litigation history can reveal patterns that support defense arguments about manufactured standing, lack of genuine injury, and boilerplate litigation tactics.

Discovery targets:

  • Number of § 17529.5 cases filed in the past 5 years
  • Number of different email addresses used to receive marketing emails
  • Whether plaintiff subscribed to email lists voluntarily
  • Prior case outcomes — voluntary dismissals, settlements, sanctions
  • Whether plaintiff uses catch-all email domains or purpose-built addresses

Full Serial Plaintiff Defense Guide →

Defense Strategy Matrix

Defense Best For Timing Result if Successful
ESP Authentication Any "forged header" claim Throughout case Judgment / Summary judgment
CAN-SPAM Preemption Claims really about unsolicited email Demurrer / MSJ Dismissal
§ 128.7 Sanctions Boilerplate, uninvestigated complaints Early (after safe harbor) Withdrawal + fees
Anti-SLAPP Political / public interest emails Within 60 days of service Dismissal + fees
Demurrer Deficient complaints Within 30 days of service Dismissal (with or without leave)
Serial Plaintiff Discovery High-volume filers After answer filed Credibility damage / sanctions

Timeline & Deadlines

Missing a deadline can result in default judgment. If you are a business entity, you must retain counsel immediately upon service. Do not wait until the response deadline approaches — counsel needs time to evaluate the case and prepare the responsive pleading.

Response Deadlines

Day 0: Service of Complaint
Clock starts running
Personal service on the defendant (or substitute service, which adds additional days). Verify the proof of service for proper service under CCP § 415.10-415.50. Defective service can be challenged by motion to quash.
Day 30: Response Deadline
Answer or demurrer due
The defendant must file either an answer (responding to all allegations) or a demurrer (challenging the legal sufficiency of the complaint) within 30 days of service. If served by substitute service, add 10 days. If served by mail, add additional time per CCP § 1013.
Day 30: Extension by Stipulation
LASC CIV 229 stipulation
One 30-day extension is available by stipulation between the parties using LASC form CIV 229 (or equivalent local form in other counties). This extends the response deadline to Day 60. No court order is required for the first extension — just a signed stipulation filed with the court.
Day 60: Extended Response Deadline
Answer or demurrer due (if stipulated)
If you obtained the CIV 229 stipulation, your responsive pleading is now due on Day 60. Additional extensions require a court order and good cause — they are not guaranteed.

Special Motion Deadlines

Within 60 Days of Service
Anti-SLAPP Motion (CCP § 425.16)
Must be filed within 60 days of service of the complaint. The court may grant an extension for good cause, but do not count on it. Filing triggers an automatic discovery stay. If the motion is granted, the defendant recovers attorney fees and costs.
Within Response Deadline
Demurrer
A demurrer must be filed within the same deadline as the answer (30 days, or 60 if extended by stipulation). The demurrer replaces the answer as the responsive pleading. Must meet and confer with opposing counsel before filing (CCP § 430.41).
Serve + 21-Day Safe Harbor
CCP § 128.7 Sanctions Motion
Serve the sanctions motion on opposing counsel. Wait the mandatory 21-day safe harbor period. If plaintiff does not withdraw the offending pleading within 21 days, file the motion with the court. The safe harbor cannot be shortened — it is mandatory.

Discovery Timeline

Preserve ESP Data Immediately: ESP account data, sending logs, and authentication records may be deleted or become inaccessible if accounts are closed or data retention policies expire. Propound discovery as soon as the answer is filed, and send preservation letters to ESPs even before filing the answer.
Immediately Upon Service
Send preservation letters
Send litigation hold / preservation letters to your ESP, DNS provider, and any third-party email infrastructure providers. Request they preserve all sending logs, authentication records, SPF/DKIM/DMARC configurations, and account settings as of the date the emails at issue were sent.
After Answer Filed
Propound discovery
Serve discovery requests targeting: (1) plaintiff's litigation history, (2) plaintiff's email account setup and usage, (3) how plaintiff obtained the email that is the subject of the complaint, (4) plaintiff's actual damages, and (5) whether plaintiff voluntarily subscribed to email lists.
30 Days After Propounding
Discovery responses due
Opposing party must serve responses within 30 days (or 35 days if served by mail). If responses are deficient, meet and confer before filing a motion to compel.
45 Days After Deficient Response
Motion to compel deadline
A motion to compel further responses must be filed within 45 days of receiving deficient responses (CCP § 2030.300, § 2031.310). Missing this deadline waives the right to compel.

Trial Setting

Milestone Typical Timing Notes
Case Management Conference 90-120 days after filing Court sets trial date and discovery cutoffs. File a CMC statement before the hearing.
Discovery Cutoff 30 days before trial All discovery must be completed by this date. Expert discovery may have an earlier cutoff.
Motion Cutoff Varies by court Summary judgment motions typically must be heard at least 30 days before trial (CCP § 437c requires 75-day notice).
Mandatory Settlement Conference 30-60 days before trial Court-ordered settlement conference. Attend with settlement authority.
Trial 12-18 months after filing LASC unlimited civil. Bench trial unless jury is demanded (and jury fees posted).

Deadline Summary Quick Reference

Action Deadline Authority
Answer or demurrer 30 days from service CCP § 412.20, 430.40
Stipulated extension 30 additional days (one time) LASC CIV 229
Anti-SLAPP motion 60 days from service CCP § 425.16(f)
128.7 sanctions (serve) Any time CCP § 128.7(c)(1)
128.7 safe harbor 21 days after service CCP § 128.7(c)(1)
Discovery responses 30 days from service CCP § 2030.260
Motion to compel 45 days from deficient response CCP § 2030.300
Summary judgment notice 75 days before hearing CCP § 437c(a)
Statute of limitations 4 years CCP § 340

Need Help Meeting These Deadlines?

Schedule a consultation to discuss your § 17529.5 defense. We can evaluate your case, identify the strongest defenses, and ensure all deadlines are met.

Contact: owner@terms.law

California State Bar #279869