Complete guide to SHAFT+ restricted SMS content categories — sex, hate, alcohol, firearms, tobacco, cannabis, gambling, crypto, and how each enforcement layer (carrier, TCR, CPaaS) treats them.

SHAFT+ Restricted SMS Categories

SHAFT is the industry acronym for the five content categories that receive the strictest scrutiny in Application-to-Person (A2P) SMS:

S — Sex (adult / sexual content)
H — Hate (hate speech, harassment, discriminatory content)
A — Alcohol (promotion, sales, delivery)
F — Firearms (weapons, ammunition, accessories)
T — Tobacco (cigarettes, vapes, nicotine products)

These categories have been flagged since the earliest CTIA messaging guidelines and remain the core of every carrier acceptable use policy (AUP).

The "+" Extension

The original SHAFT acronym no longer captures the full scope of restricted messaging. Industry practice has expanded the list to include several additional high-risk verticals:

Cannabis / CBD — all marijuana-related products, including hemp-derived CBD in some interpretations
Gambling / Sports Betting — casino promotions, daily fantasy sports, sportsbook marketing
Cryptocurrency / Web3 — token promotions, NFT drops, DeFi solicitations
High-Risk Financial — payday loans, debt collection, credit repair, advance-fee schemes
Pharmaceuticals — prescription drugs, online pharmacies, controlled substances
Multi-Level Marketing (MLM) — network marketing, recruitment-focused programs
Political Messaging — campaign texts, ballot measure advocacy, PAC communications

The combined set is commonly referred to as SHAFT+ in compliance documentation and carrier communications.

Key Insight: Not a Uniform Ban

SHAFT+ categories are not uniformly blocked. The actual outcome for a given message depends on which category it falls into, what sender type is used, and which enforcement layer triggers. Outcomes range across a wide spectrum:

Outcome	Example
Full carrier ban	Cannabis on 10DLC — blocked by all three major carriers regardless of state legality
Blocked at CPaaS	Crypto promotions on Twilio — rejected before reaching the carrier network
Conditionally allowed	Alcohol with age-gating on a dedicated short code
Allowed with special registration	Gambling in licensed states via a TCR special-use campaign
Allowed with restrictions	Political messaging with mandatory sender identification and opt-out

Understanding which layer enforces what — and where discretion exists — is critical for anyone building compliant messaging programs in sensitive verticals.

The Enforcement Stack

SHAFT+ rules are enforced at four distinct layers, each with independent authority to block or penalize. A message must pass all four to be delivered.

1. FCC / TCPA (Federal Law)

The Telephone Consumer Protection Act (TCPA) and FCC regulations set the legal floor. Key constraints:

Prior express written consent is required for any marketing message, regardless of content category
Do-Not-Call registry compliance is mandatory
Robocall / autodialer rules apply to automated messaging systems
Violations carry statutory damages of $500–$1,500 per message in private lawsuits
The FCC can impose additional fines and injunctions

TCPA does not explicitly ban SHAFT categories by name, but its consent requirements make unsolicited messaging in any sensitive category a significant legal risk.

2. Carrier AUPs (AT&T, T-Mobile, Verizon)

Each major carrier publishes an Acceptable Use Policy for messaging that goes beyond federal law:

AT&T maintains a Code of Conduct for messaging that explicitly restricts SHAFT content and requires age-gating for alcohol and tobacco on approved sender types
T-Mobile publishes the most detailed content guidelines and has been the most aggressive in enforcement, including a published penalty rate of $10,000 per violation
Verizon generally aligns with CTIA guidelines and defers to TCR registration status for 10DLC traffic

Carrier AUPs are contractual, not statutory — they can change without legislative process and are enforced through network-level filtering, campaign suspension, and sender deregistration.

3. TCR (The Campaign Registry)

TCR is the central registration authority for 10DLC messaging. Its role in SHAFT+ enforcement:

Every 10DLC campaign must declare its use case during registration
Certain SHAFT+ categories are available only as special use cases that require additional vetting
Some categories (notably cannabis) are not registrable at all — TCR will reject the campaign
Trust scores and throughput limits are influenced by content category
Campaign descriptions are reviewed for prohibited content signals

TCR acts as a gatekeeper: if a campaign cannot be registered, 10DLC traffic for that use case cannot flow through any carrier.

4. CPaaS AUPs (Twilio, Telnyx, Bandwidth, Vonage)

Communications Platform-as-a-Service providers sit between the sender and the carrier network. Their AUPs are often stricter than what carriers technically allow:

Twilio has the most restrictive stance — explicitly prohibits cannabis, heavily restricts cryptocurrency/Web3, and maintains an internal content review process
Telnyx takes a more permissive approach on some categories (crypto, CBD) but still enforces carrier-level restrictions
Bandwidth generally mirrors carrier policies without adding significant additional restrictions
Vonage (now part of Ericsson) restricts cannabis and applies heightened review to financial services messaging

A message that is technically permitted by carriers and TCR can still be rejected by the CPaaS provider's own compliance team.

Per-Category Breakdown

The following table summarizes how each SHAFT+ category is treated across the enforcement stack and what path, if any, exists to send compliant messages.

Category	Carrier Treatment	TCR Treatment	CPaaS Treatment	Path to Send
Sex / Adult	Blocked on 10DLC. Conditionally allowed on dedicated short codes with age-gating.	Not registrable as a standard 10DLC campaign.	Universally prohibited by major CPaaS providers.	Dedicated short code with CTIA age-gate approval; extremely limited availability.
Hate Speech	Universally blocked across all sender types.	Not registrable.	Universally prohibited.	No legitimate path. Hate speech violates federal law, carrier AUPs, and platform terms simultaneously.
Alcohol	Allowed on short codes with age-gating. Restricted on 10DLC.	Registrable as a special use case with additional documentation (age verification, licensing).	Generally allowed with age-gating compliance. Twilio requires pre-approval.	Short code with age-gate is the established path. 10DLC possible via TCR special use case in some configurations.
Firearms	Blocked on 10DLC for promotional messaging. Informational/safety content may pass.	Special use case with heavy scrutiny; promotional campaigns typically rejected.	Most CPaaS providers prohibit promotional firearms content.	Very limited. Safety-related and non-promotional use cases on short codes may be approved case-by-case.
Tobacco / Vape	Restricted on 10DLC. Allowed on short codes with age-gating in some cases.	Special use case. Vape/e-cigarette content faces additional restrictions.	Varies. Twilio restricts; others may allow with age-gating.	Short code with age-gate approval. 10DLC path is narrow and carrier-dependent.
Cannabis / CBD	Fully blocked on 10DLC by all three major carriers, regardless of state legality.	Not registrable as a 10DLC campaign.	Twilio prohibits entirely. Telnyx has explored limited CBD messaging.	Toll-free numbers in legal states have shown some success. Short code applications are reviewed case-by-case. No 10DLC path exists as of 2025.
Gambling / Sports Betting	Allowed in licensed/legal states with proper registration. Blocked in states where the activity is illegal.	Registrable as a special use case (lottery, casino, sports betting). Requires state-by-state licensing documentation.	Allowed with pre-approval and licensing verification.	TCR special use campaign with state licensing documentation. State-by-state compliance is mandatory — a single campaign cannot target all 50 states.
Cryptocurrency / Web3	Not explicitly blocked at the carrier level. Carriers do not have crypto-specific AUP clauses in most published guidelines.	Registrable under financial services or general marketing depending on content.	Twilio restricts heavily — crypto promotions often rejected during content review. Telnyx and some smaller aggregators are more permissive.	Alternate CPaaS provider (Telnyx, Plivo, or direct aggregator) with standard TCR registration. Avoid Twilio for crypto-primary messaging.
High-Risk Financial	Payday loans and debt collection face heightened scrutiny. Debt collection must comply with FDCPA.	Registrable but subject to additional vetting. Advance-fee and credit repair schemes are typically rejected.	Twilio and most CPaaS providers restrict payday lending. Debt collection is allowed with FDCPA compliance.	FDCPA-compliant debt collection is sendable. Payday loan promotion is effectively blocked across most of the stack.
Pharmaceuticals	Prescription drug promotion is restricted. OTC and health information is generally allowed.	Special use case for pharmacy and healthcare messaging. Requires verification.	Twilio requires healthcare pre-approval. Others vary.	TCR healthcare use case with proper licensing. Controlled substance promotion has no viable path.
MLM / Network Marketing	Not explicitly category-blocked, but high complaint rates trigger filtering.	Registrable, but campaigns with high opt-out rates are flagged and may be suspended.	Allowed in principle, but MLM traffic tends to generate complaints that trigger platform review.	Standard registration, but operational discipline is critical — high complaint rates will result in campaign suspension regardless of category.
Political	Allowed with mandatory sender identification and opt-out compliance. Subject to TCPA prior express consent.	Registrable as a political campaign type. Requires organization verification.	Allowed with pre-registration. Twilio has a dedicated political messaging program.	TCR political campaign registration. Must include sender identification ("Paid for by...") and honor opt-outs within the legally required timeframe.

Cannabis: The Hardest Block

Cannabis messaging deserves special attention because it represents the most complete block in the SHAFT+ framework:

All three major carriers (AT&T, T-Mobile, Verizon) block cannabis content on 10DLC, including in states where cannabis is fully legal
TCR does not offer a cannabis campaign registration category
Twilio explicitly prohibits cannabis messaging in its AUP
The conflict between federal Schedule I classification and state legalization creates a compliance environment where carriers default to prohibition

There has been some movement on toll-free numbers, where carrier filtering is applied differently and some cannabis businesses in legal states have maintained messaging programs. Short code applications for cannabis are reviewed case-by-case by the CTIA, but approvals are rare. As of 2025, there is no reliable 10DLC path for cannabis-related messaging.

Cryptocurrency and Web3: A CPaaS Problem

Cryptocurrency messaging occupies an unusual position in the SHAFT+ framework:

Carriers do not maintain explicit crypto-blocking rules in their published AUPs — the content passes carrier-level filtering in most cases
TCR does not have a crypto-specific restriction and will register campaigns under financial services or general marketing use cases
The block is primarily at the CPaaS layer. Twilio's content review process frequently rejects crypto-related campaigns, citing fraud risk and consumer protection concerns
Smaller and crypto-friendly CPaaS providers (Telnyx, Plivo, and some direct aggregator relationships) offer viable alternatives

For organizations building in the Web3 space, the practical recommendation is to select a CPaaS provider with explicit crypto tolerance and register through TCR under an appropriate financial services use case.

Penalties and Consequences

Violations of SHAFT+ restrictions carry real financial and operational consequences:

Consequence	Detail
Per-message fines	T-Mobile has published a rate of $10,000 per violation for AUP breaches. AT&T and Verizon impose similar penalties though specific rates are less commonly disclosed.
Campaign deregistration	TCR can revoke a campaign's registration, immediately halting all 10DLC traffic for that campaign across all carriers.
Account suspension	CPaaS providers can suspend or terminate accounts, often with limited appeal options and retention of account balances.
Number blocking	Carrier networks can block specific phone numbers, rendering them permanently unusable for messaging.
Brand-level penalties	Repeated violations can result in brand-level blocks at TCR, affecting all campaigns under that brand — not just the offending one.
TCPA litigation	Private lawsuits under TCPA can result in $500–$1,500 per message in statutory damages, with class actions reaching millions.

These penalties compound. A campaign sending 1,000 messages that violate T-Mobile's AUP could theoretically face $10 million in carrier fines alone, in addition to TCPA exposure.

Practical Guidance

For teams evaluating whether a messaging program falls into SHAFT+ territory:

Audit content against all four enforcement layers — a message may clear one layer but fail at another
Check CPaaS AUP independently of carrier rules — CPaaS restrictions are often stricter and less transparent
Use TCR's campaign registration process as a litmus test — if TCR does not offer a use case category for the content, 10DLC is not a viable path
Consider sender type alternatives — short codes and toll-free numbers have different filtering profiles than 10DLC
Monitor per-carrier status separately — carrier AUPs change independently and enforcement intensity varies
Maintain opt-out compliance religiously — high complaint and opt-out rates accelerate enforcement actions regardless of content category

SHAFT+ Restricted SMS Categories: What Carriers Block and Why