Understanding CTIA SMS content policies is essential for any marketer operating campaigns over short codes or 10DLC (10-digit long code) numbers. While most compliance guides focus on consent and opt-in mechanics, the content of the messages themselves is governed by a separate — and often misunderstood — layer of rules. The CTIA's Messaging Principles and Best Practices, combined with carrier-specific content policies, dictate which message categories are permitted, which require special vetting, and which are flatly prohibited. Getting this wrong can result in campaign suspension, number deactivation, or outright blacklisting by carrier aggregators.
This guide provides a granular, practical reference for SMS marketers who already understand the basics of TCPA, 10DLC, and carrier rules but need detailed guidance on what content is actually allowed — and under what conditions.
How CTIA Content Policies Work
The CTIA (Cellular Telecommunications Industry Association) is a trade group representing U.S. wireless carriers. While it lacks direct regulatory authority like the FCC or FTC, its guidelines function as de facto law for the SMS ecosystem. Carriers — AT&T, T-Mobile, Verizon, and others — enforce CTIA guidelines through their messaging gateway policies, and aggregators like Syniverse, Iconectiv, and The Campaign Registry (TCR) use them as the basis for campaign vetting.
Content policies apply at two levels:
- Campaign registration — When you register a short code or 10DLC campaign, the declared use case and content category are reviewed against CTIA guidelines. Misrepresenting your content category is grounds for immediate rejection or later suspension.
- Message-level filtering — Carriers run real-time content filtering on messages in transit. Even if your campaign is approved, individual messages containing prohibited content or patterns can be blocked.
This dual-layer enforcement means compliance is not a one-time checkbox. It is an ongoing operational requirement that applies to every message you send.
Content Categories: Permitted, Restricted, and Prohibited
CTIA content policies divide message content into three broad tiers. The specifics vary slightly between short code and 10DLC programs, but the general framework is consistent.
Standard (Permitted) Content
These content types are generally approved for both short code and 10DLC campaigns without special vetting requirements:
- Transactional notifications (order confirmations, shipping updates, appointment reminders)
- Account alerts (balance notifications, security codes, password resets)
- Customer service and support messages
- Marketing promotions for non-restricted products and services
- Informational messages (weather alerts, news updates with prior consent)
- Loyalty and rewards program communications
- Survey and polling messages
Even within standard content categories, messages must comply with general messaging principles: they must be relevant to the stated campaign purpose, must not be misleading, and must include proper opt-out instructions.
Restricted (Special Approval Required) Content
Certain content categories are not outright banned but require additional vetting, age gating, or carrier-specific approval. These are sometimes referred to as "SHAFT-adjacent" categories or special-use cases.
| Content Category | Short Code | 10DLC | Requirements |
|---|---|---|---|
| Cannabis / CBD (where legal) | Restricted | Restricted | Age gate, state-law compliance, no health claims |
| Alcohol promotions | Restricted | Restricted | Age gate (21+), no promotion to minors |
| Firearms and ammunition | Restricted | Restricted | Age gate, no illegal sales facilitation |
| Tobacco and vaping | Restricted | Restricted | Age gate, FDA compliance |
| Gambling and wagering | Restricted | Restricted | State licensing verification, age gate |
| Financial services (lending, credit) | Permitted with disclosures | Restricted | TILA/Reg Z disclosures, no predatory language |
| Debt collection | Permitted with disclosures | Restricted | FDCPA compliance, mini-Miranda |
| Political messaging | Permitted | Permitted (special use case) | Sender identification, disclaimer requirements |
| Prescription pharmaceuticals | Restricted | Restricted | Licensed pharmacy verification, no controlled substance promotion |
The acronym "SHAFT" (Sex, Hate, Alcohol, Firearms, Tobacco) is commonly referenced in the industry as shorthand for high-risk content categories. However, the actual CTIA guidelines are more nuanced than this acronym suggests. Some SHAFT-adjacent content is permissible with proper controls, while some non-SHAFT content (like high-risk financial offers) faces equally strict scrutiny.
Prohibited Content
The following content types are prohibited across all carrier networks and messaging channels. No amount of vetting or special approval will make these permissible:
- Illegal products or services
- Phishing or social engineering attempts
- Malware distribution or links to malicious sites
- Content promoting violence, terrorism, or self-harm
- Child sexual abuse material (CSAM)
- Hate speech targeting protected classes
- Fraudulent schemes (fake prize notifications, advance-fee fraud)
- Spam — unsolicited commercial messages sent without prior express consent
- Content designed to circumvent carrier filtering (snowshoeing, content spinning to evade detection)
Key takeaway: The line between "restricted" and "prohibited" is not always obvious. Cannabis marketing, for example, is restricted (permissible with controls) in states where it is legal, but prohibited in states where it remains illegal. Context and jurisdiction matter.
Short Code vs. 10DLC: Content Policy Differences
While the CTIA's overarching content principles apply to both short codes and 10DLC numbers, the enforcement mechanisms and approval processes differ significantly. Understanding these differences is critical for choosing the right sending infrastructure.
Short Code Content Approval
Short codes go through a rigorous approval process managed by the CSCA (Common Short Code Administration) and individual carriers. This process typically takes 8–12 weeks and includes:
- A detailed program brief describing all message content
- Sample messages for every message flow (welcome, marketing, transactional, opt-out confirmation)
- Terms of service and privacy policy review
- Carrier-by-carrier approval — each major carrier reviews independently
The advantage of this thorough vetting is that approved short codes generally enjoy higher deliverability and throughput. The disadvantage is the time and cost involved, and the fact that any content change may require re-approval.
10DLC Content Approval
10DLC campaigns are registered through The Campaign Registry (TCR) and vetted by a combination of automated and manual review processes. Registration requires:
- Brand registration (business identity verification)
- Campaign registration with a declared use case and content category
- Sample messages (typically 2–5 examples)
- An opt-in flow description
For a complete walkthrough of the registration process, see our 10DLC registration guide.
10DLC content policies have become increasingly strict since T-Mobile's content filtering updates in 2023–2024. Campaigns that were previously approved may face new scrutiny, particularly in restricted categories. The trust score assigned during brand vetting directly affects throughput limits, making accurate content declaration doubly important.
| Factor | Short Code | 10DLC |
|---|---|---|
| Approval timeline | 8–12 weeks | 1–7 days (standard); longer for special use cases |
| Content review depth | Full carrier-by-carrier review | TCR automated + manual review |
| Restricted content handling | Case-by-case carrier approval | Special use case registration required |
| Content change process | May require re-approval | Campaign update through TCR |
| Filtering strictness | Lower (pre-vetted) | Higher (real-time filtering more aggressive) |
| Cost | $500–$1,000/month lease + setup | One-time registration fees ($4–$15) |
Carrier-Specific Content Rules
While CTIA guidelines provide the baseline, individual carriers maintain their own content policies that can be more restrictive. Marketers must comply with the most restrictive applicable policy.
T-Mobile / Sprint
T-Mobile has been the most aggressive carrier in content filtering enforcement. Key T-Mobile-specific policies include:
- Strict filtering on URL shorteners — Public shorteners (bit.ly, tinyurl) are frequently flagged. Custom branded short domains are strongly recommended.
- Enhanced filtering for low-trust campaigns — 10DLC campaigns with low trust scores face more aggressive content scrutiny.
- Zero tolerance for cannabis content on 10DLC — Even in states where cannabis is legal, T-Mobile generally prohibits cannabis-related 10DLC messaging, though some short code programs have been approved with extensive documentation.
- Aggressive snowshoeing detection — Distributing similar content across multiple numbers to evade rate limits will trigger blocking.
AT&T
AT&T's content policies align closely with CTIA guidelines but include additional restrictions on:
- Lead generation campaigns — AT&T requires clear disclosure of how subscriber data was collected and prohibits purchased or rented lists.
- Affiliate marketing content — Campaigns promoting third-party offers face heightened scrutiny.
- Message frequency — AT&T monitors for excessive messaging relative to the declared campaign frequency.
Verizon
Verizon's content policies are generally the least restrictive of the three major carriers but still enforce:
- Prohibition on unsolicited commercial messages
- Content filtering for known spam patterns
- Restrictions on adult content outside of age-gated short code programs
Practical note: Because carrier policies can change without public announcement, the safest approach is to design campaigns that comply with the most restrictive carrier's rules. If your content would not pass T-Mobile's filters, assume it will cause problems across the ecosystem.
Common Content Violations and How to Avoid Them
Many campaign suspensions stem not from intentionally prohibited content but from inadvertent policy violations. Below are the most common issues encountered in practice.
Misleading or Deceptive Content
Messages that create a false sense of urgency, misrepresent the sender, or make unsubstantiated claims violate both CTIA guidelines and FTC regulations. Examples include:
- "Your account has been compromised" (when no security event occurred)
- "You've been selected for a $1,000 gift card" (when no actual selection occurred)
- Impersonating a government agency or well-known brand
- Making health claims for supplements or CBD products without FDA approval
Missing or Inadequate Opt-Out Instructions
Every marketing message must include a clear opt-out mechanism. The standard is "Reply STOP to unsubscribe" or equivalent language. Common mistakes include:
- Omitting opt-out instructions entirely
- Using non-standard opt-out keywords that the platform does not actually process
- Burying opt-out instructions in a way that makes them difficult to find
- Failing to honor opt-out requests promptly (carriers expect processing within minutes, not days)
Platforms like Trackly handle opt-out processing automatically, intercepting STOP replies and immediately adding the number to a suppression list before the next message is sent. This kind of automated compliance reduces the risk of sending to opted-out subscribers, which is one of the fastest paths to campaign suspension.
Content–Use Case Mismatch
If you register a 10DLC campaign as "customer service notifications" but then send promotional marketing messages, carriers will flag the mismatch. This is one of the most common reasons for 10DLC campaign rejection or post-approval suspension.
The solution is straightforward: register separate campaigns for distinct use cases. A transactional notification campaign and a marketing campaign should be registered independently, even if they target the same subscriber base.
URL and Link Policy Violations
Links in SMS messages are heavily scrutinized by carrier filters. Common link-related violations include:
- Using public URL shorteners (bit.ly, ow.ly, tinyurl.com) — these are frequently associated with spam and phishing
- Linking to domains that are newly registered or have poor reputation scores
- Redirecting through multiple domains before reaching the final destination
- Including links to content that does not match the registered campaign purpose
Trackly's built-in link tracking with custom short domains addresses this directly. By using a branded domain that you control, messages avoid the spam signals associated with shared public shorteners, and the domain builds reputation over time as a legitimate sending source.
Excessive Frequency
Sending more messages than the frequency disclosed at opt-in is a content policy violation. If your opt-in flow states "up to 4 messages per month" and you send daily messages, carriers can and will throttle or block your traffic. This is also a TCPA risk, as courts have interpreted consent as limited to the scope disclosed at the time of opt-in.
Age Gating Requirements for Restricted Content
For content categories that require age verification (alcohol, tobacco, cannabis, gambling), CTIA guidelines mandate specific age-gating procedures.
Short Code Age Gating
Short code programs with age-restricted content must implement a double opt-in flow that includes age verification:
- User texts a keyword to the short code.
- System responds with an age verification prompt (e.g., "Reply YES to confirm you are 21 or older").
- User confirms age.
- System sends the standard opt-in confirmation with program details and opt-out instructions.
- Only after age confirmation does the user begin receiving content.
10DLC Age Gating
10DLC campaigns with age-restricted content follow a similar pattern, but the age verification is typically handled at the web opt-in level rather than within the SMS flow itself. The opt-in form should include an age verification checkbox or date-of-birth field, and this verification should be documented in the campaign registration.
Note that age gating via SMS (asking users to self-report their age) is considered a weak form of verification. For highly regulated categories like online gambling, carriers may require integration with third-party age verification services.
How Carriers Detect Content Violations
Understanding how carrier filtering works helps marketers avoid false positives — legitimate messages that get blocked because they trigger spam heuristics.
Pattern-Based Filtering
Carriers maintain databases of known spam patterns, including:
- Specific phrases associated with fraud ("act now," "limited time," "claim your prize")
- Excessive use of special characters, emojis, or ALL CAPS
- Known spam URLs and URL patterns
- Phone number formatting designed to evade detection
Volume and Velocity Analysis
Sudden spikes in message volume, rapid sending to large lists, or unusual sending patterns trigger automated review. This is why throughput rate limiting — sending at a controlled, consistent pace — is important for deliverability. Trackly's deliverability tools include throughput rate limiting specifically designed to keep sending patterns within carrier-acceptable ranges.
Complaint-Based Filtering
When subscribers report messages as spam (either through carrier spam reporting tools or by forwarding messages to 7726/SPAM), the carrier associates those complaints with your sending number and campaign. A high complaint rate — generally above 0.3–0.5% — can trigger filtering or suspension.
Content Fingerprinting
Carriers use content fingerprinting to detect when the same or very similar messages are being sent across multiple numbers or campaigns. This technique is specifically designed to catch snowshoeing — the practice of distributing spam across many numbers to stay under per-number rate limits. Even legitimate marketers can trigger this if they send identical messages from multiple campaigns without differentiation.
Practical Compliance Checklist
Use this checklist before launching any SMS campaign to verify content policy compliance:
- Content category declared accurately — Does your TCR campaign registration or short code application accurately describe the content you will send?
- Sample messages match actual sends — Will your real messages closely resemble the samples submitted during registration?
- Opt-out mechanism included — Does every marketing message include clear opt-out instructions?
- Opt-out processing automated — Is your platform configured to immediately honor STOP requests?
- Frequency matches disclosure — Are you sending at or below the frequency disclosed in your opt-in flow?
- Links use branded domains — Are you using custom short domains rather than public URL shorteners?
- Age gating implemented — If sending restricted content, is age verification in place?
- No prohibited content — Have you reviewed messages against the prohibited content list?
- Quiet hours respected — Are you avoiding sends during state-level quiet hours?
- Sender identified — Does the message clearly identify who is sending it?
Consequences of Content Policy Violations
The consequences of content policy violations escalate based on severity and frequency:
| Violation Level | Typical Consequence | Recovery Path |
|---|---|---|
| First minor violation | Message filtering (messages silently dropped) | Adjust content; filtering usually lifts within 24–72 hours |
| Repeated minor violations | Campaign throughput throttling | Content review and campaign update through TCR |
| Major violation | Campaign suspension | Appeal through TCR or carrier; may require new campaign registration |
| Severe or intentional violation | Number deactivation and potential brand blacklisting | Extremely difficult to recover; may require new brand registration |
Brand blacklisting is the most severe outcome and can affect your ability to register new campaigns across all carriers. Proactive compliance is far less costly than reactive remediation.
Staying Ahead of Policy Changes
CTIA content policies are not static. They evolve in response to new spam trends, regulatory changes, and carrier technology updates. Marketers should:
- Monitor CTIA updates — The CTIA publishes updated Messaging Principles and Best Practices periodically. Review each update for changes that affect your campaigns.
- Track TCR announcements — The Campaign Registry issues bulletins about policy changes, new content categories, and enforcement updates.
- Review carrier developer portals — T-Mobile, AT&T, and Verizon each maintain messaging policy documentation that may include carrier-specific changes not reflected in CTIA guidelines.
- Audit campaigns quarterly — Review your active campaigns against current policies at least every quarter. Content that was compliant six months ago may no longer be.
- Test deliverability regularly — Send test messages to numbers on each major carrier network to verify that your messages are being delivered. Silent filtering means you may not discover a problem until you actively check.
Trackly's deliverability tools — including GSM-7 encoding validation and segment counting — help catch technical issues that can trigger filtering before messages are sent. Combined with automated opt-out handling and suppression list management, these features reduce the surface area for compliance violations without requiring manual oversight of every message.
Final Thoughts
CTIA content policies exist to protect consumers and maintain the integrity of the SMS channel. For marketers, compliance is not just a legal obligation — it is a practical requirement for maintaining deliverability and campaign performance. Messages that violate content policies do not reach subscribers, which means wasted spend and damaged sender reputation.
The most effective approach is to build compliance into your campaign design from the start: declare accurate content categories, use proper opt-out handling, send through branded domains, respect frequency commitments, and stay current with policy updates. Doing so protects both your subscribers and your ability to reach them.