Objective
When SSL Click Tracking is enabled on a user account, this does not enable tracking on any sub-users. Sub-user accounts must enable SSL Click Tracking separately. Additionally, SSL Click Tracking is not enabled on a per-branded link basis. Users must set up a proper SSL configuration for all the branded links you have on a user account. This guide walks through some useful steps necessary when enabling SSL Click Tracking on an account.
Product
Email
Procedure
Create an SSL Certificate
Twilio SendGrid can't set up an SSL Certificate for you, but we do have documentation on three major Content Delivery Networks (CDNs). CDNs are a great option for handling security certificates for you, while quickly and easily serving content across multiple ways. You may also check here for the steps for a custom SSL configuration.
For details on the actual creation and hosting of an SSL certificate, we recommend users reach out directly to their CDN/DNS provider. It is also important that the CDN then forwards all traffic on to sendgrid.net so we can ingest tracking details and resolve links to the correct location.
Point Link Branding domain to SSL certificate
Now that this SSL certificate is created, you can now forward traffic to this cert. Just as you pointed the Link Branding CNAMEs:
sub.domain.com -> sendgrid.net
You can edit the DATA portion (sendgrid.net) in the domain's DNS to point to the CDN handling your domains SSL certs. Only the first CNAME from the branded link needs to point to the CDN you are using.
Verifying your configuration is correct
Running a dig command
If you followed the steps above correctly, you should be able to run a dig command to check where your CNAME record is pointing to.
When you're doing the link branding process for your domain, 2 CNAME records are created. Let's say you're branding your links for the domain testforjoe.xyz, then these 2 CNAME records will be generated:
url1579.testforjoe.xyz
20352181.testforjoe.xyz
If you run a dig command against the first CNAME in your terminal, it then should point to your CDN in the answer / authority section:
% dig cname url1579.testforjoe.xyz
; <<>> DiG 9.10.6 <<>> cname url1579.testforjoe.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54183
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1410
;; QUESTION SECTION:
;url1579.testforjoe.xyz. IN CNAME
;; AUTHORITY SECTION:
testforjoe.xyz. 1800 IN SOA kareem.ns.cloudflare.com. dns.cloudflare.com. 2340669520 10000 2400 604800 1800
;; Query time: 99 msec
;; SERVER: 10.9.245.1#53(10.9.245.1)
;; WHEN: Sun May 19 14:58:46 -05 2024
;; MSG SIZE rcvd: 115
As you can see in the Authority section, it points to Cloudflare which is the CDN handling the SSL certificate. If it points to your CDN or where your SSL certificate is handled, you're now ready to go to the next step.
Let SendGrid Support know you want SSL Click Tracking turned on
Before we can enable SSL Click Tracking, we have to ensure the following:
- The Link Branding is assigned to the user account you are requesting SSL Click Tracking on
- The Link Branding is pointing to your CDN, and not pointing at sendgrid.net.
- The Link Branding domain is terminating in an SSL connection correctly
Once SSL Click Tracking is enabled, you can check if SSL is terminating correctly by sending a test through your SendGrid account and including an HTTPS link to see if it resolves correctly. Alternatively, you can test your SSL connection at https://www.ssllabs.com/ssltest/
Notice: Once you have successfully configured your CDN, DO NOT re-verify your Link Branding. If you do attempt to re-verify your CNAME records after SSL has been set up, it will break when it doesn't see the simple CNAME record.