Skip to content

SMS and RCS

SMS used to be a footnote in this guide. Two things shifted across 2025 and 2026. RCS is now viable to test in the US, with mandatory SMS fallback, though business and A2P reach still depends on carrier and provider provisioning rather than the iPhone simply supporting it. And US compliance hardened to the point where getting it wrong stops your messages dead or hands a plaintiff’s lawyer a ready-made claim. SMS has its own rules and its own failure modes, so it gets its own chapter.

First, a warning. Nothing here is legal advice. SMS rules vary by country, by US state, and by month, and the litigation is live. Federal rules, state mini-TCPA statutes and carrier policies all change on their own timetables. Treat what follows as a map of where the landmines sit, then check the current position for your jurisdiction with a lawyer before you send a single marketing text. When a mistake runs to thousands of dollars per message, an hour of legal review is cheap.

I’m leading with US compliance because it’s the part that will actually hurt you, and the part most people skip. After that: opt-in and list growth, segmentation and timing, MMS, cross-channel work with email, a sober read on RCS, and where AI genuinely fits. Along the way I’ll kill the folklore numbers laundered into the trade press as fact. The credibility of everything else here depends on not repeating vendor marketing as a neutral statistic.

The Telephone Consumer Protection Act is the federal law governing marketing texts to US mobile numbers, enforced through lawsuits, not regulators knocking on doors. Plaintiff firms run TCPA litigation as a business. Send a non-compliant marketing text and you’re gambling against lawyers who file these suits for a living and who only need your send logs to make their case.

The core requirement is prior express written consent before you send a marketing text to a mobile. That means a clear, affirmative agreement that the person will receive marketing messages at the number they gave you, with the disclosure shown at the time. A pre-checked box doesn’t count. Consent bundled into a terms-of-service acceptance doesn’t count. Buying a list and texting it is not consent under any reading.

The damages are what make this serious. Federal statutory damages are $500 per text, trebled to $1,500 for wilful or knowing violations, with no cap. A single non-compliant campaign to a few thousand people is, on paper, multi-million-dollar exposure. That’s the number that turns a sloppy send into a settlement.

The opt-out rules changed materially on 11 April 2025, and that change is the single most important update for anyone building an automated sending system. Consumers can now revoke consent in any reasonable manner. You can’t dictate one opt-out method. You have to honour STOP, QUIT, END, REVOKE, OPT-OUT, CANCEL and UNSUBSCRIBE, plus revocation arriving by email, web form or phone call, not just inbound text. And you have to process it within 10 business days, down from 30. For an agent, STOP-only handling is no longer enough: your system has to parse free-text and natural-language revocations across more than one channel.

There’s a forward-dated piece to flag but not act on. The broader global-revocation provision, under which a single opt-out applies to all future messages from that sender across every topic and programme, was delayed then extended again, now effective 31 January 2027. If you’ve seen an April 2026 date cited, it’s stale. Build toward 2027, but don’t present it as live law today.

One more correction worth making out loud, because it got taught wrong for a while. The FCC’s one-to-one consent rule, which would have required seller-specific consent and closed the lead-generator loophole, was vacated by the 11th Circuit on 24 January 2025 in Insurance Marketing Coalition Ltd. v. FCC, one business day before it would have taken effect. The stricter standard never became law, and the definition of prior express written consent reverted to the earlier understanding. Single-seller, clearly-disclosed consent is still the defensible posture and the one I’d recommend, but don’t teach one-to-one consent as if it’s the law. It isn’t.

Quiet hours are the most active area of litigation in SMS right now, so they get their own treatment.

Federal TCPA bars marketing texts before 8am or after 9pm in the recipient’s local time. The phrase that catches people is “recipient’s local time”. You can’t send on your own timezone and call it good. You have to work out where the recipient actually is and hold the send if it falls outside their window.

States narrow the federal window. Florida and Washington both cut it to 8am to 8pm. Texas went further. Texas SB140, effective 1 September 2025, reclassifies SMS and MMS as telephone solicitation, sets quiet hours at 9am to 9pm Monday to Saturday and noon to 9pm Sunday, requires registration as a telephone solicitor with the Texas Secretary of State, and creates a private right of action under the Texas DTPA. The penalties stack: $5,000 per violation plus DTPA recovery, which can mean treble damages, mental anguish and attorneys’ fees. A mistimed send to a Texas resident is not a rounding error.

Through 2025 there was a documented wave of quiet-hours class actions. Plaintiff firms sued on send time alone, even where valid consent existed, because the rule is bright-line and easy to prove from logs. The wave’s size gets quoted with made-up percentages, so I won’t attach a number. The qualitative point is what matters: send time is now a primary litigation theory, not a technicality, and a perfectly consented list won’t save you if you send at the wrong hour for the recipient’s location.

The build implication is a quiet-hours resolver that takes the recipient’s resolved jurisdiction and local time and returns send or hold. Layer it: federal 8am to 9pm first, then state overrides for Florida and Washington at 8am to 8pm and Texas at 9am to 9pm Monday to Saturday and noon to 9pm Sunday. When you can’t reliably resolve jurisdiction, default to the strictest window. And resolve location from the most reliable signal you have, not the area code. People keep their numbers when they move.

TCPA is the law. 10DLC registration decides whether your message physically arrives. They’re separate, and you need both.

Application-to-person traffic on standard US long codes runs through 10DLC, governed by The Campaign Registry. Unregistered A2P 10DLC traffic is blocked by the major US carriers, AT&T, T-Mobile and Verizon. Not throttle, block. An unregistered message doesn’t land in a degraded state, it doesn’t land at all. Think of registration as the SMS analogue of email’s SPF, DKIM and DMARC: the switch between zero delivery and possible delivery.

Registration has two parts. You register the brand, which is your legal entity, its legal name and its EIN. Then you register each campaign, which is the use-case you intend to send under. A per-campaign trust score governs your throughput, and enhanced vetting opens higher, marketing-grade volume. Fees and timelines vary by aggregator and year, so treat them as ranges and confirm with your provider: brand approval often lands in 1 to 5 business days and campaign approval in 3 to 7, longer in peak periods, with per-campaign monthly fees and per-message carrier surcharges on top.

Here’s the part the earlier version of this guide missed, and the part that trips up people who treat registration as a one-time box to tick. Registration is necessary but not sufficient. Getting registered gets you in the door. It doesn’t guarantee any individual message arrives. Registered traffic is still filtered on content, on the links you include, on SHAFT (sex, hate, alcohol, firearms, tobacco), on consent quality, and on your volume behaviour. High opt-out rates, spam complaints and odd traffic patterns trigger carrier filtering even on a fully registered campaign. And the registered use-case has to match what you actually send. Marketing content going out under a one-time-passcode use-case is both a filtering problem and a compliance problem.

So your pre-send checklist for US SMS is: brand registered, campaign registered, use-case matches the content, links branded or dedicated rather than public shorteners, and content SHAFT-clean. Miss any of those and your delivery rate quietly erodes despite the registration paperwork.

There’s a second compliance layer alongside the law, and conflating the two is a common mistake. TCPA is the legal floor, enforced through lawsuits. The CTIA Messaging Principles, enforced by carriers through the registry and through filtering, are the deliverability floor. CTIA is stricter than TCPA on several points. It expects documented consent for effectively all commercial messaging, a published privacy policy, published programme terms, and a HELP keyword that returns real support information, alongside STOP, UNSUBSCRIBE and CANCEL being honoured. You can satisfy the letter of TCPA and still get filtered into oblivion for failing CTIA. Optimise for both, or the law won’t save your delivery rate.

An operational compliance model an agent can run

Section titled “An operational compliance model an agent can run”

Prose isn’t enough for a system that actually sends. An agent needs a state model it can check before every send and maintain after. None of this removes the need for counsel; it makes the human review tractable and the claim defensible. Maintain the following, per contact and per campaign.

  • Consent source. Where the opt-in happened (checkout checkbox, two-tap unit, on-site popup, keyword join) and the exact disclosure shown. Store the disclosure copy verbatim, not a pointer to it.
  • Consent timestamp. When consent was captured, in UTC plus the contact’s resolved local timezone. This is your defence on both quiet-hours timing and revocation timing.
  • Campaign and use-case. The registered 10DLC use-case the message falls under, plus a check that the content matches it.
  • Jurisdiction. The contact’s governing state and country, resolved from the most reliable signal available, not the area code.
  • Quiet-hours resolver. A function taking jurisdiction and local time, returning send or hold, layering federal then state overrides, defaulting to the strictest window when jurisdiction is uncertain.
  • Revocation parser. Free-text and multi-channel. Catches STOP, QUIT, END, REVOKE, OPT-OUT, CANCEL and UNSUBSCRIBE plus reasonable variants and natural-language revocations, and accepts revocations by email, web form or phone, not only inbound SMS.
  • Suppression sync. A revocation suppresses across every channel and brand it should apply to, propagated inside the 10-business-day SLA and ideally immediately. Suppression is the last thing the send path checks.
  • Audit log. An append-only record of consent, every message sent, every revocation and every suppression action, all timestamped. If you can’t reconstruct who consented to what and when, you can’t defend a claim.
  • Vendor of record. Which entity is the registered brand and message sender for each campaign, so responsibility for filtering, registration and the carrier relationship is unambiguous.

Consent is the asset, so the way you collect it sets both your legal footing and your list quality. Four mechanics have the strongest support.

The two-tap mobile opt-in is the highest-converting on-device method. The user taps, a pre-filled text loads, they hit send. Attentive reports its two-tap unit converts two to three times better than a traditional sign-up form. That’s their own internal figure, but the mechanic is sound because it strips the typing friction on a phone. Checkout consent capture catches people at their highest intent, when they’re already buying. On-site popups are the cheapest acquisition source for most stores. And double opt-in, where the subscriber confirms before they’re added, is the most defensible TCPA posture because it produces a second consent artefact you can point to.

Whatever the mechanic, consent has to be explicit and the disclosure has to meet CTIA: clear about what they’re signing up for, with programme terms and a privacy policy linked. Per-industry opt-in rates and CAC figures get quoted from single vendor blogs, so treat any specific number as illustrative and calibrate against your own verticals.

SMS works backwards from email on frequency. Email is, within reason, a send-more-to-earn-more channel. SMS is a finite budget against the unsubscribe threshold. Every text spends a little of the goodwill that keeps someone on the list, and people drop SMS programmes far faster than email lists.

A sensible default cadence is roughly two to four texts a month, rising to one or two a week only for highly opted-in, highly engaged segments, tuned by opt-out rate and revenue per message. Two operational guardrails an agent can watch: an opt-out rate above 1% means throttle or improve relevance, and a delivery rate below 90% signals carrier filtering or bad data and needs investigation, not more volume.

The strategic point on SMS economics mirrors the flows argument running through the rest of this guide. SMS revenue is flow-driven, not broadcast-driven. Per Klaviyo’s 2026 SMS benchmarks, triggered flows are about 7.6% of sends yet drive 45.2% of SMS revenue, flow click rates run near 10% against roughly 5% for campaigns, and 64.4% of SMS flow revenue comes from new buyers. That new-buyer skew is worth sitting with, because it reframes SMS flows as an acquisition channel and not only a retention one. The instruction follows: stand up your triggered flows before you build a broadcast programme, and put the budget there first.

On links, use a dedicated branded short domain rather than a public shortener. Carriers demote bit.ly and tinyurl links, so a public shortener costs you delivery for no benefit.

MMS, the picture-message format, gets sold as an engagement multiplier. The first-party data doesn’t back the hype. Klaviyo’s numbers show SMS and MMS rates almost identical, with MMS only marginally higher on revenue per recipient and marginally lower on unsubscribe, which doesn’t justify the higher per-message cost in most cases. The “+250% with rich media” and “+20% engagement” MMS claims are aggregator hype the benchmark doesn’t back.

So default to SMS. Reserve MMS for the specific case where the visual is the offer, a product shot or a coupon image that does the selling. And note that for visual messaging the real upgrade path is RCS rich cards, not MMS, which leads into the next section.

The highest-value way to run SMS is not standalone but stitched into your email programme, and here the verified numbers are good enough to lead with. Per Klaviyo’s BFCM 2025 data, cross-channel shoppers placed 11% more orders, added 34% more items to cart and viewed 71% more products than single-channel shoppers, and email plus text together drove about 42% of GMV on peak days. There’s a popular “2.0 to 2.8x more valuable” multiplier floating around that I couldn’t tie back to a solid source, so treat it as loose vendor framing and lead with the engagement figures.

In practice, collect both email and phone, then split the channels by the job each does best. Email carries the story: the longer narrative, the editorial, the full product context. SMS or RCS carries the time-sensitive nudge: the cart recovery, the back-in-stock alert, the last-chance reminder. The cleanest first move is to add an SMS or RCS step to your existing high-intent email flows (cart, browse, back-in-stock) rather than building a parallel broadcast programme from scratch. Don’t run SMS in a silo, and don’t duplicate the same message across both channels, which just trains people to ignore one of them.

RCS Business Messaging is the genuine new development, and the easiest thing in this chapter to overstate. Here’s what’s actually true.

Apple shipped person-to-person RCS in iOS 18 and added support for business, or A2P, RCS in iOS 18.1, but only where the carrier has enabled it. Device capability is not business availability. As of Twilio’s RCS Business Messaging update, only two of the three major US carriers supported RBM across devices, and the carriers have to enable RCS Business Messaging on iOS before it works at all. So the correct framing for an agent is precise: iOS 18 enables P2P RCS, iOS 18.1 enables business RCS where both the carrier and the messaging provider support it, and reach on iPhone is a function of carrier provisioning, not OS version. You can’t assume an iPhone is RCS-reachable just because it’s running a recent iOS.

That makes SMS fallback mandatory. Architect every RCS programme so a message that can’t land as RCS drops to SMS automatically, and assume carousels and multi-button cards render differently across devices. Test card layouts on real iPhones before you trust them. A provider’s job is to work out, per recipient, when to deliver over SMS instead of RCS. Yours is to never write copy that only works in the rich version.

The real reason to choose RCS over SMS is the verified branded sender. A registered RCS agent shows your brand name, logo and a verification tick instead of an anonymous short or long code, and it adds rich cards, carousels, suggested replies and read receipts. That fixes the two structural weaknesses SMS has always had, an anonymous sender and no engagement signal coming back to you. Agent vetting takes time, so register early if you intend to use RCS.

On the lifts: the honest evidence is real but measured on early adopters and beta segments, so don’t build a budget around it. Attentive’s first-party named beta is the cleanest data point. FragranceNet.com saw +106% click-through, +50% conversion and +47% revenue per send versus SMS, and Spanx, on a segment that had gone quiet, saw +236% click-through, +190% conversion and +201% revenue per send. Those are two named brands in a vendor’s own beta. Treat them as a signal the channel can work, not a benchmark table you can plan against, and don’t expect 200% lifts across the board. The wider RCS engagement figures in circulation are vendor or platform numbers, not independent benchmarks: Infobip’s roughly 72% open rate and 15 to 30% click-through, Google’s line that consumers are about 35 times more likely to read an RCS message than an email, and verified-badge trust figures landing anywhere between 51% and 80% depending on whose survey you read. Use those to justify registering for a verified sender. Don’t present them as planning numbers, and treat the “90%+ open, 80%+ conversion” RCS aggregates on vendor blogs as marketing, full stop.

On encryption: cross-platform end-to-end encryption was not in iOS 18, which was transit-level TLS only. Encrypted RCS across iPhone and Android, built on GSMA Universal Profile 3.0 and the MLS protocol, began rolling out in beta with iOS 26.5 and the current Google Messages build on 11 May 2026. It’s gated on three conditions being true at once: the right iOS version, the right Google Messages build, and carrier support on both ends. It is being switched on gradually, so treat universal encrypted RCS as in progress through 2026, not a done thing you can rely on. This rollout is person-to-person RCS. RCS Business Messaging, what you send as a brand, is a separate A2P channel and is not end-to-end encrypted the same way, so never tell customers your business messages are end-to-end encrypted.

Before you turn on an RCS programme, work through this list. It keeps the rich version honest and stops the channel quietly failing for the people it can’t reach.

  • Agent and brand vetting. Register the RCS agent and complete brand verification early, because vetting takes time and an unverified agent loses the branded-sender advantage that is the main reason to use RCS.
  • Carrier and provider reach check. Confirm which carriers and which messaging provider actually support RBM for your audience, and accept that a recent iOS version alone does not make an iPhone reachable.
  • SMS fallback copy. Write a plain SMS version of every message that stands on its own, so a recipient who can’t receive RCS still gets a message that works.
  • Rich-card graceful degradation. Test carousels and multi-button cards on real iPhones and Android devices, and make sure the offer survives when a card renders as a stripped-down or plain message.
  • Opt-out handling. Honour STOP and the wider revocation set on the RCS thread exactly as you do on SMS, and feed it into the same suppression and audit path.
  • Consistent measurement naming. Name your events and campaigns the same way across RCS and the SMS fallback, so you can compare like for like and read the true blended result rather than two disconnected sets of numbers.

AI in SMS and RCS splits cleanly into shipped substance and round-number hype, and an honest read separates them.

The shipped, actionable patterns are three. First, per-recipient variant selection, where each subscriber gets the version of a message most likely to convert for them rather than a single broadcast copy. Second, conversational SMS flows that function as quizzes, capturing zero-party data through a back-and-forth instead of a static form. Third, an AI customer agent handling two-way SMS and RCS, fielding inbound replies and resolving routine questions without a human. RCS matters here specifically because its quick-reply and suggested-reply surface is what makes a two-way agent usable; on a bare SMS thread the conversation is clumsier. Because this guide is itself read by an agent, the conversational data-capture and per-recipient capabilities are the most directly actionable: an agent can build and run them.

The hype to label rather than repeat is the autonomous-resolution figures. Klaviyo reports its customer agent resolves a majority of questions autonomously, around 65%, and HappyWax reported the agent handled over 50% of support conversations with no human across 90 days. Both are single-brand, vendor-reported numbers, so use them as existence proofs that the pattern can work and mark them as exactly that. The broader “81% of companies report improved performance with AI” style of stat is unverified self-report, and doesn’t belong in a planning model.

The credibility of this chapter rests on not laundering vendor marketing into neutral fact, so here’s the cleanup, plainly.

The “21 to 30% SMS conversion rate” everyone quotes is method-inconsistent folklore. Klaviyo’s first-party campaign tiers, with bot clicks excluded, put the “great” bar at a 14.6% click rate or higher and placed-order conversion of about 2.1% or higher, with revenue per recipient around US$2.42 or higher, and an unsubscribe rate at or above 2.0% flagged as critical. So the realistic “great” conversion bar is roughly 2%, not 25%. The bare “98% open rate” is a flat number that should be a band of roughly 90 to 98%. The “+250% MMS with rich media” line is unsupported by the benchmark, as covered above. And the inflated “90% open, 80% conversion” RCS aggregates are marketing, not data. Don’t teach one-to-one consent as law, because it was vacated in January 2025, and don’t cite April 2026 as the global-revocation date, because it’s now 31 January 2027. If a number sounds too clean and too good, it usually came from someone selling the channel.

The summary you can act on: register before you send, treat registration as necessary but not sufficient, build the consent and quiet-hours state model before the first campaign, lead the strategy with flows rather than blasts, run SMS alongside email rather than in a silo, treat RCS as a real but unevenly available upgrade with mandatory SMS fallback, and confirm every legal point in this chapter against current rules in your own jurisdiction before you go live.