The Compliance Side of Adding SMS and RCS to Email

  • Nick Donaldson

    Nick Donaldson

    Senior Director of Growth, Knak

Published Jul 6, 2026

The Compliance Side of Adding SMS and RCS to Email

Dive deeper with AI

Extending a marketing program from email into SMS and RCS is usually framed as adding channels. From a compliance standpoint, you are adding regimes. Each new channel arrives with its own rulebook, its own regulator, and, inside your own organization, its own owner. The danger is rarely that any single rule is hard to follow. It is that the people responsible for each rule do not talk to each other, and the gaps between them are where compliance quietly breaks.

This is a planning problem more than a legal one, which is good news, because planning problems can be designed for. What follows is how the regimes stack up as you add channels, where ownership tends to fragment, and how to keep the whole thing coordinated. It is education, not legal advice; your compliance and legal teams own the specifics for your business.

Email compliance set the baseline

Email compliance starts with rules most teams know. In the United States, CAN-SPAM requires a valid physical address and a working unsubscribe in every commercial message. GDPR adds a lawful basis for contact and a privacy policy. Canada's CASL requires consent and clear sender identification. These are the table stakes, and most marketing teams have them handled.

What has changed is that deliverability has become its own compliance regime, enforced by the mailbox providers rather than a government. Since early 2024, Gmail and Yahoo have required bulk senders to authenticate with SPF and DKIM, align DMARC, offer one-click unsubscribe, and keep complaints low. The bar is concrete: Google's bulk-sender guidelines require a spam-complaint rate under 0.3%, with a strong push to stay below 0.1%, and Yahoo holds senders to the same standard. Miss it and your mail is throttled or rejected regardless of how clean your legal footer is. This regime is owned by IT and security as much as marketing, because authentication lives in DNS records, which sit with infrastructure rather than the email builder. Even so, only about half of senders have implemented DMARC, which is the first sign of how easily a shared responsibility falls through the cracks.

SMS adds a second regime

Add SMS and you inherit a different rulebook with a different owner. In the US, the TCPA governs consent for text messaging, and the consent standard is stricter and more explicit than email's. On top of the law, the carriers run their own gate: A2P 10DLC registration through The Campaign Registry, which vets your brand and each campaign before you are allowed to send business traffic at all. This is a gate you clear before sending, the inverse of email's unsubscribe-after-the-fact model, and it sits with marketing operations rather than IT.

The cost of letting a messaging channel run outside your governed system is not hypothetical. Across financial services, regulators have penalized firms heavily for business messaging that happened outside approved, supervised channels. On a single day in September 2022, the SEC charged 16 firms more than $1.1 billion and the CFTC charged 11 firms $710 million over off-channel communications, and the SEC's actions had passed $1.5 billion across 30 firms by August 2023. Those cases are about recordkeeping rather than marketing texts specifically, but the lesson generalizes: when a messaging channel operates outside your governed system, the exposure is real and it is expensive.

RCS adds a third

RCS, the richer successor to SMS, is now viable at scale because Apple brought it to the iPhone with iOS 18, and US device reach has expanded sharply since. It also adds a third layer of governance. RCS Business Messaging requires brand and sender verification through Google and the carriers, a step that has no clean equivalent in email or SMS. The compliance rules you already know still apply. TCPA and S.H.A.F.T. extend to RCS as well as SMS, and Google maintains its own acceptable-use policy for what a verified sender can send.

The awkward part is ownership, and it splits three ways. Email authentication has a home in IT, SMS consent and registration have a home in marketing operations, and RCS sender verification often has no settled owner at all, because it is new enough that no team has claimed it.

The real risk is that the owners don't talk

Lay the three regimes side by side and the pattern is clear.

Channel

Email

Governing rules

CAN-SPAM, GDPR, CASL

Provider or carrier gate

SPF, DKIM, DMARC, spam-rate limits

Typical internal owner

IT and security

Channel

SMS

Governing rules

TCPA, consent rules

Provider or carrier gate

A2P 10DLC registration (The Campaign Registry)

Typical internal owner

Marketing operations

Channel

RCS

Governing rules

TCPA, S.H.A.F.T., Google AUP

Provider or carrier gate

Brand and sender verification (Google and carriers)

Typical internal owner

Often unassigned

This is only the US picture: teams sending into the EU, Canada, or Asia-Pacific stack a parallel set of consent and privacy regimes on top, each adding another owner to the map. Within any single market, each team can be doing its own job correctly while the program as a whole drifts out of compliance, because nobody owns the seams between them.

That is where the failures live, in the gaps between systems. Consent captured for email does not automatically satisfy the stricter SMS standard: a subscriber who opted into your newsletter has not, by TCPA's measure, agreed to receive texts, and a campaign that treats those as one consent is the kind of gap that turns a compliant program non-compliant without anyone deciding to break a rule. A sender identity verified for RCS does not match the one authenticated for email, and an audit trail that looks complete in three separate systems is, in practice, three partial trails no one can assemble on demand. None of these is a broken rule. Each is a broken handoff, and handoffs are exactly what a governance program is supposed to manage.

Compliance is a coordination problem you can design for

Stop treating compliance as a property of each channel, and start treating it as shared infrastructure. Consent, sender identity, brand assets, and approval workflows are not email things or SMS things. They are campaign things, reused across every surface the campaign touches. When they live in one governed pool, adding a channel means extending a system you already control rather than standing up a new silo with a new owner who does not talk to the others.

Practically, that means producing every channel from the same place, with the same approval pass and the same source of truth for who consented to what. This is the case for building email, SMS, and RCS in one enterprise production system rather than three disconnected tools. When the form of consent, the sender identity, and the brand are governed once and applied everywhere, the seams between IT, marketing, and operations stop being the place compliance falls apart.

The compliance work of going omnichannel is real, but it argues for adding channels deliberately, from a system built to keep them coordinated. Get the coordination right and each new channel becomes an extension of a program you already trust. See how Knak helps enterprise teams produce email, SMS, and RCS from one governed system.


Share this article

  • Nick Donaldson 2025 headshot gradient

    Author

    Nick Donaldson

    Senior Director of Growth, Knak

Why marketing teams love Knak

  • 95%better, faster campaigns = more success

  • 22 minutesto create an email*

  • 5x lessthan the cost of a developer

  • 50x lessthan the cost of an agency**

* On average, for enterprise customers

** Knak base price

Ready to see Knak in action?

Get a demo and discover how visionary marketers use Knak to speed up their campaign creation.

Watch a Demo
green sphere graphic used for decorative accents - Knak.com