Section 1
The legal line: legal is not the same as consequence-free
Start with the honest version of the law, because the playbooks either overstate the danger or pretend it does not exist. In the United States, cold email is legal under the CAN-SPAM Act, which does not require prior consent for commercial email; it requires honest headers, a clear opt-out, and that you honor unsubscribes . In the EU and UK, B2B cold email is generally permitted under GDPR's "legitimate interest" basis (Article 6(1)(f)), while B2C requires prior consent . Legitimate interest is not a blank check: it requires a demonstrable business purpose, that the processing be necessary, and that your interest not override the recipient's privacy rights . Two things follow. First, "legal" has teeth attached: CAN-SPAM penalties run into tens of thousands of dollars per email, and GDPR fines reach into the millions or a percentage of global revenue . Second, and more practically, the line between a compliant B2B email and unlawful spam is largely a relevance test. Generic, high-volume blasts to massive unverified lists are what regulators and providers treat as spam; targeted, relevant messages to the right business role are what the legitimate-interest basis is built to cover . The scraped-million approach fails this test by design, because you cannot be relevant to a million strangers. Jurisdiction matters too, and the playbooks flatten it. Cold email is permissive in the US and workable across much of the UK, Canada, and Australia, but several countries, including Germany, require B2B opt-in consent, and France's regulator is tightening prospecting rules . If your scrape does not know which country each contact sits in, it cannot know which rules apply, which is another reason the raw list is a liability rather than an asset.
Section 2
The deliverability line: the mailbox providers set the real limit
Even where sending is legal, Gmail and Yahoo decide whether it arrives, and since February 2024 they enforce requirements that a scraped-blast strategy routinely fails. Bulk senders must authenticate with SPF, DKIM, and DMARC, include a one-click unsubscribe (RFC 8058), and, critically, keep their spam-complaint rate under 0.3 percent, with providers signaling that under 0.1 percent is the real target . "Bulk" is defined as roughly 5,000-plus messages a day to consumer inboxes, and enforcement escalated in late 2025 from temporary delays to permanent rejections . The 0.3 percent complaint threshold is unforgiving on a scraped list. It means three complaints per thousand sends is your ceiling. Scraped lists, sent generic messages, generate complaints precisely because the recipients did not expect or want the mail. Cross the line and your domain gets throttled or blocked, which does not just kill this campaign; it damages the address you send everything from, including client email. The bounce row is the quiet killer. Scraped, unverified data decays at roughly 22 to 30 percent per year , so a raw list carries a heavy share of dead addresses, and bounce rates over 5 percent put the domain at real risk . The provider math and the data-decay math compound: the bigger and rawer the scrape, the faster you cross both the complaint line and the bounce line.
Section 3
What the playbooks don't tell you: the scrape is a small input
The SaaS growth content treats the scraped list as the engine. It is not. It is one input, and a small one, into a system whose real components are targeting, verification, relevance, and deliverability discipline. A scraped million that you cannot send legally or deliver technically is worth less than a scraped few hundred you can. The value was never in the scrape; it was in what you did to the scrape before you sent. This is the honest reframe. The volume playbooks make money selling you the tool that produces volume, so they emphasize the step they sell and stay quiet about the constraints that make volume worthless. The constraints, legal basis and deliverability, are where the actual work is, and they push you toward exactly what account-based, personalized outreach already recommends: small, relevant, verified lists sent to people you can be genuinely relevant to. The compliance line and the deliverability line both reward the same behavior, which is not a coincidence.
Section 4
The compliant, deliverable scraped-email checklist
You can use scraped data responsibly. The rules are consistent across the legal and deliverability lines: 1. Scrape only business roles at business domains. Corporate addresses at real companies, targeted by role, are the population legitimate interest is designed to cover and the population least likely to complain. Personal-domain addresses invite both legal and complaint risk. 2. Verify before you send. Drop unverified, catch-all, and unknown statuses to keep bounces under 2 percent , because decayed data is guaranteed on any scrape . 3. Authenticate and enable one-click unsubscribe. SPF, DKIM, DMARC, and RFC 8058 unsubscribe are mandatory for bulk sending; without them you fail before relevance even matters . 4. Send relevant, targeted mail, and honor every opt-out. Relevance is simultaneously the legal safe harbor and the complaint-rate defense that keeps you under 0.3 percent . Honoring unsubscribes is both a CAN-SPAM requirement and basic reputation hygiene.
Section 5
You are handling scraped cold email right when…
You are handling it right when your scraped list gets smaller before it gets sent, because you removed everything you cannot legally or relevantly email. You are handling it right when you can name the legal basis you are relying on, CAN-SPAM in the US, legitimate interest in the EU/UK, and you know which contacts sit in stricter jurisdictions . You are handling it right when your domain is authenticated, your unsubscribe is one click, your complaint rate sits under 0.1 percent, and your bounce rate under 2 percent . And you are handling it right when you have accepted that the scrape was the easy 5 percent and put your real effort into the 95 percent that decides whether the mail is legal, deliverable, and worth sending at all. You are not ready to run scraped cold email if your plan is to send generic mail to the largest list you can assemble, because that plan fails the relevance test that governs both the legal line and the complaint line, and it puts the domain you run your business on at risk. The volume playbook is selling you the cheap step and hiding the expensive ones. Do the expensive ones, or do not send.
Section 6
Key takeaways
• Scraping is the trivial input; the legal basis and the deliverability math are where the real constraints live, and both are ignored by volume playbooks. • B2B cold email is legal in the US under CAN-SPAM (opt-out, honest headers, no consent required) and in the EU/UK under GDPR legitimate interest, but only when relevant and targeted . • Gmail and Yahoo require authentication, one-click unsubscribe, and a spam-complaint rate under 0.3 percent (target under 0.1 percent), enforced with permanent rejections since late 2025 . • Scraped data decays 22 to 30 percent a year , so unverified lists spike bounces, and over 5 percent puts the domain at risk . • Relevance is the shared safe harbor: it satisfies the legal basis and keeps complaint rates low, which is why compliant scraping converges on small, targeted, verified lists.