SMS COMPLIANCE A2P-10DLC

SMS Compliance Checklist for Business Texting

SIPNEX ·

SMS compliance for business texting comes down to seven operational controls: capture and store provable consent, honor STOP and every other opt-out within the FCC’s window, send only between 8 a.m. and 9 p.m. recipient local time, keep SHAFT content off unregistered routes, register your traffic (10DLC or toll-free verification), identify your brand in every message, and retain the records that prove all of it. Miss any one of those and you are exposed — to carrier filtering on the delivery side and to TCPA litigation on the legal side.

This is the operational checklist. If you want the consent-law analysis behind these steps — what counts as prior express written consent for texting, how the FCC’s revocation rules evolved, where courts disagree — read our TCPA text message compliance deep dive. If you run outbound voice campaigns, the TCPA compliance checklist for dialer operators covers the calling side. This page covers what your messaging operation must actually do, step by step.

SIPNEX is an FCC-licensed carrier that provides SMS and MMS messaging on the same DIDs that carry voice. We are not lawyers and this is not legal advice — we are the carrier that processes the opt-out signaling, submits the 10DLC registrations, and watches which campaigns get filtered. This checklist reflects what actually goes wrong.

Consent is the foundation, but the operational failure is rarely “we never got consent.” It is “we cannot prove it.” A consent record you cannot produce in litigation is functionally the same as no consent at all.

For every phone number in your messaging database, verify:

  • The consent record stores the exact disclosure language the subscriber agreed to, not just a “consented: yes” flag
  • The record includes a timestamp, the capture method (web form, keyword opt-in, paper, verbal), and the specific phone number
  • Web form opt-ins capture the page URL and form version in effect at the time
  • Marketing consent and informational consent are tracked separately — consent to receive shipping updates is not consent to receive promotions
  • Consent is not a hidden condition of purchase and is not buried in terms of service
  • Numbers acquired without documented consent (purchased lists, scraped data, old CRM imports) are excluded from campaigns entirely

Keyword opt-ins (“Text JOIN to 833-555-0100”) are the cleanest capture method because the inbound message itself is the consent record — the subscriber’s own device created the evidence, with a timestamp, from their number.

Step 2: Honor opt-outs — STOP is the floor, not the ceiling

Under FCC rules that took effect April 11, 2025, you must honor a revocation request within a reasonable time, not to exceed 10 business days. The FCC also identified standardized keywords that must always be treated as revocation: stop, quit, revoke, opt out, cancel, unsubscribe, and end. Beyond keywords, consumers can revoke through any reasonable means — a reply in plain English (“please don’t text me again”) counts.

Operationally:

  • STOP and the other standardized keywords trigger automatic, immediate suppression — no human review step
  • Free-text replies expressing an opt-out intent are routed to a queue and processed inside the 10-business-day window
  • One confirmation message is permitted after an opt-out, but only if it contains no marketing content and is sent promptly — the FCC’s rule allows it within five minutes
  • The suppression list is global across every campaign and sending number you operate, not per-campaign
  • Opt-outs received on other channels (email, phone, chat) also suppress the number

Build global suppression now; the FCC’s delayed revoke-all provision (now scheduled for January 31, 2027) is analyzed in the TCPA deep dive.

Step 3: Respect quiet hours

A litigation wave since late 2024 has applied the TCPA’s 8 a.m.–9 p.m. recipient-local solicitation window to marketing texts even with consent — the legal fight is covered in the TCPA deep dive.

The operational answer does not wait for the courts:

  • Schedule marketing sends inside 8 a.m. to 9 p.m. recipient local time, without exception
  • Derive the recipient’s time zone from area code and prefix data, not from your own server clock — a 6 p.m. send from an East Coast platform lands at 3 p.m. Pacific, but the reverse trip is how violations happen
  • When a number’s time zone is ambiguous (some area codes span two zones), apply the more restrictive window
  • Transactional and informational messages triggered by the customer (delivery confirmations, 2FA codes) are a different category, but batch marketing blasts get the full quiet-hours treatment

Step 4: Screen content — SHAFT and required elements

Carrier content rules run on the CTIA’s Messaging Principles and Best Practices. These are industry guidelines rather than law, but US carriers enforce them as a condition of network access — a violation gets your traffic filtered or your campaign suspended, no court required.

The screening list:

  • No SHAFT violations: sex, hate, alcohol, firearms, and tobacco content is restricted — adult content and hate speech are prohibited outright, while alcohol, firearms, and tobacco messaging requires age-gating that verifies legal age before delivery
  • No cannabis marketing on any registered route — carriers prohibit it regardless of state legality because it remains federally controlled
  • No prohibited-category evasion: link shorteners that mask the destination, snowshoeing content across numbers, or misleading campaign descriptions at registration all read as evasion and get campaigns revoked
  • Every marketing message identifies your brand (see Step 6)
  • Recurring campaigns disclose message frequency and “Msg & data rates may apply” at opt-in, and include opt-out instructions (“Reply STOP to cancel”) in the first message and periodically thereafter
  • The content you actually send matches the sample messages you registered — drift between the two is a filtering trigger

Step 5: Verify registration status

Unregistered application-to-person traffic on standard 10-digit local numbers is filtered aggressively by US carriers. If you are sending business SMS and have not registered, delivery — not law — is your first problem.

Confirm:

  • Your brand is registered with The Campaign Registry and your campaign use case matches what you actually send — our A2P 10DLC registration guide walks through the process end to end
  • Every sending number is attached to a registered campaign, not just the first batch you provisioned
  • Toll-free sending numbers have completed toll-free verification, which is a separate process from 10DLC
  • Your throughput tier matches your send volume — blasting past your messages-per-second allocation queues or drops traffic
  • High-volume sends are structured for your registered route; our guide to sending mass text messages covers the mechanics

If you are new to the registration landscape, start with the A2P messaging explainer — it maps the 10DLC, toll-free, and short code routes and when each applies.

Step 6: Lock down sender ID

Your sender identity is both a compliance element and a deliverability asset.

  • Every message names your business — recipients (and carriers reviewing complaints) should never have to guess who is texting
  • Sending numbers are consistent per program: customers recognize the number that texts them, and replies land where your opt-out processing lives
  • The numbers you text from can receive replies — dead-end sending numbers break STOP processing and violate the opt-out requirements in Step 2
  • If a number carries both voice and SMS, the caller ID name and the message sender name agree — mismatches feed spam complaints

Step 7: Retain the records

TCPA claims are generally subject to a four-year federal statute of limitations, which means the message you send today is litigation-relevant until mid-2030. Retention is what turns your compliance program from a policy into a defense.

  • Consent records: retained at least four years after the last message sent to that number, with the full capture detail from Step 1
  • Opt-out records: the inbound revocation, its timestamp, and the suppression action taken — retained at least five years, matching the DNC retention convention on the voice side
  • Message logs: campaign, content, sending number, recipient, and delivery timestamp for every send
  • Registration records: your TCR brand and campaign details, sample messages, and any carrier correspondence
  • An audit trail proving the suppression list was applied — a quarterly self-audit that samples sent messages against the opt-out list will catch a broken suppression job before a plaintiff does

The one-page version

  • Consent captured with disclosure language, timestamp, method, and number — and provable
  • STOP, quit, revoke, opt out, cancel, unsubscribe, end auto-suppress instantly
  • Free-text opt-outs processed within 10 business days
  • Suppression list is global across campaigns and channels
  • Marketing sends restricted to 8 a.m.–9 p.m. recipient local time
  • No SHAFT content without required age-gating; no cannabis
  • Opt-in disclosures and STOP instructions present
  • 10DLC brand and campaign registered; toll-free numbers verified
  • Every message identifies your brand; sending numbers accept replies
  • Consent, opt-out, and message logs retained four-plus years

Frequently asked questions

What are SMS quiet hours?

Quiet hours are the TCPA’s time-of-day restriction: telephone solicitations are prohibited before 8 a.m. or after 9 p.m. local time at the recipient’s location, and plaintiffs have applied that rule to marketing text messages. A litigation wave beginning in late 2024 targeted brands for promotional texts sent outside the window, and while industry groups have asked the FCC to confirm that consented messages are exempt, the question remains contested. The safe operational posture is to schedule all marketing sends inside 8 a.m. to 9 p.m. in each recipient’s time zone, derived from area code data — not your platform’s clock. See our TCPA text messaging deep dive for the legal background.

What is SHAFT content in text messaging?

SHAFT stands for sex, hate, alcohol, firearms, and tobacco — the restricted content categories under the CTIA’s Messaging Principles and Best Practices. Adult content and hate speech are prohibited outright on US carrier networks. Alcohol, firearms, and tobacco messaging can be permitted with age-gating that verifies the recipient is of legal age before delivery. Cannabis marketing is prohibited regardless of state legality because it remains federally controlled. These are industry guidelines rather than statutes, but carriers enforce them as a condition of network access: violations get messages filtered or entire campaigns suspended without any court involvement. Screen your content and your registered sample messages against these categories before launch.

What keywords must be honored as SMS opt-outs?

Under the FCC’s revocation rules effective April 11, 2025, the standardized keywords stop, quit, revoke, opt out, cancel, unsubscribe, and end must always be treated as revocation of consent, and consumers may also revoke through any reasonable means — including a plain-English reply. Revocations must be honored within a reasonable time not exceeding 10 business days. In practice, the standardized keywords should trigger automatic, immediate suppression with no human review, while free-text opt-outs route to a processing queue inside the deadline. One non-marketing confirmation message is permitted after an opt-out. Your carrier’s opt-out signaling handles the keyword layer; the suppression list architecture is yours to build.

How long should I keep SMS consent records?

At least four years after the last message sent to the number. TCPA claims are generally subject to a four-year federal statute of limitations, so every message you send remains litigation-relevant for four years — and the consent record is your defense. The full evidentiary field spec — versioned disclosure language, capture context, scope — is in the TCPA deep dive. Opt-out records deserve equal treatment — retain the inbound revocation, its timestamp, and the suppression action for at least five years, matching the DNC retention convention on the voice compliance side. A consent you cannot produce is functionally no consent at all.

Do transactional texts follow the same compliance rules as marketing texts?

Not identically, but they are not exempt. Transactional and informational messages — delivery confirmations, appointment reminders, 2FA codes — require prior express consent (the customer provided their number in a relevant context) rather than the higher written-consent standard for marketing, and customer-triggered messages are treated differently under the quiet-hours analysis. But opt-outs still apply: a STOP reply to a transactional stream must be honored. Registration still applies: transactional A2P traffic on 10-digit numbers needs 10DLC registration like any other business messaging. And record retention applies equally. The category changes the consent bar, not the operational discipline.


SIPNEX provides SMS and MMS messaging on the same carrier network that signs your voice calls — 10DLC registration handled on your behalf, opt-out signaling built in, and message logs you can actually audit. Call (833) 665-2220 or see our rates to put your texting on carrier-direct infrastructure.

SIPNEX

The carrier built by operators, for operators.

FCC-licensed carrier with its own STIR/SHAKEN SP certificate. Operator-owned. SIP trunks built for operators who dial at volume.