Enabling SSL for Click and Open Tracking for Your Account

When click tracking is enabled on your account, SendGrid re-writes your links to add code to track clicks. Link brandings allow these links to be be re-written with your own domain instead of SendGrid's. For more information on link branding, click here.

When open tracking is enabled on your account, SendGrid adds an invisible pixel to your emails with a URL specific to that email. For more details on this, click here.
 

However, these URLs are over 'http' by default. As an additional layer of security, we allow these links to be re-written over 'https' by enabling SSL for click and open tracking.

Using a Proxy

To prepare your account for SSL for click and open tracking using a proxy, please follow the following steps:

  1. Prepare a proxy (like a web application, NGINX, or Amazon API Gateway) to take all traffic for mailing.example.com and forward it to http://sendgrid.net or https://sendgrid.net.
  2. Set up the proxy to use HTTP or HTTPS. For HTTPS, provide a valid SSL certificate for mailing.example.com domain.
  3. To forward traffic, set the Host HTTP header to mailing.example.com domain.
  4. Point the CNAME record to your proxy. For example, CNAME mailing.example.com proxy.example.com.

In the steps above, mailing.example.com will need to be replaced with your actual link branding, and proxy.example.com will be replaced with your proxy.

Once the steps above have been completed, please contact SendGrid Support to enable SSL click and open tracking on your account.

Using a CDN

If you prefer to use a CDN, this is entirely possible as well. Due to the numerous CDN providers out there, it's not possible for us to have setup steps for every single one of them; however, we do have instructions for CloudFlare, Fastly, and KeyCDN. Those steps can be found here.

Once you've completed the applicable steps outlined in the article, please contact SendGrid Support to enable SSL click and open tracking on your account.

Things to Note

1.) Do NOT re-validate the DNS records within the SendGrid UI after completing the steps mentioned above (either for proxy or CDN usage). After changing the CNAME, a second validation will fail, and the authentication will stop working. If this happens, you will need to do the following:

  1. Update the DNS record for your link branding so that it points back to sendgrid.net
  2. Re-validate your link branding in the SendGrid UI
  3. Update the DNS record for your link branding once more so that it points to your proxy

2.) SSL for click tracking is a setting that affects all link brandings in your account. Because of this, we require that ALL link brandings in your account to be prepped for SSL for click and open tracking before we can enable the setting for your account.

Running Our Checks on Your Own

Before enabling SSL for click and open tracking on your account, SendGrid has two checks that we run on our end. You can also run these checks on your own:

  1. Dig the CNAME record for the link branding. For Mac and Linux users, you can open terminal and enter the following command:
    dig mailing.example.com CNAME
    You'll need to replace mailing.example.com with your link branding. When doing so, you should see something like this:

    Screen_Shot_2022-02-22_at_9.38.27_AM.png
    What you'll want to pay attention to is the "ANSWER SECTION" (please note that with some providers, you'll see an "AUTHORITY SECTION" instead). Here, you'll want to make sure that the value that appears after "CNAME" does not return "sendgrid.net." If it returns "sendgrid.net," this means that you have not completed step 4 in the "Using a proxy" section.

    For Windows users, you many need to install a tool before you're able to use the "dig" command in the command prompt. For more details on how to do this, feel free to check out this article. Once BIND is installed, you should be able to run the same command mentioned above (dig mailing.example.com CNAME) to complete this check.

  2. Once you've passed the first check, the second one is to check your links over 'https.' To do this, send a test email to yourself. At this point, the URLs in the email will still be over 'http.' However, if the setup has been completed properly, you should now be passing a cert, and 'https' should work as expected. What you'll do here is:
        1. Send a test email to yourself that includes a link
        2. Copy the URL in the test email
        3. Open a new browser tab and paste the URL in the address bar
        4. Change the URL so that it starts with 'https' rather than 'http'
        5. Attempt to access the 'https' version of the URL

Since you're now passing a cert, the URL should resolve over 'https.'


If ALL the link brandings in your account pass these two checks, your account is ready for SSL for click and open tracking to be enabled.

Common Issues

There are a few common issues we have seen come up when running our checks, and here is how to resolve them:

  • "Wrong Link" error
    • When running the URL check, we'll sometimes run into a "Wrong Link" error. This typically means that traffic is not being forwarded to the link branding. When this happens, you'll need to ensure you've completed step 3 in the "Using a Proxy" section.

  • "Your connection is not private" error
    • When running the URL check, we'll sometimes see a "Your connection is not private" error. This typically indicates that you are not passing a cert. Without one, your URLs cannot be over 'https.' When this happens, you'll need to ensure you've completed step 2 in the "Using a Proxy section.

  • Links are not resolving after proxying DNS records in CloudFlare
    • When using CloudFlare as your CDN, the service does give you the option to use wildcard certs for your domain (for example: *.domain.com). Unfortunately, this will not work with SendGrid when your link branding includes subdomains. For example, if you set up a link branding for "subdomain.domain.com", the resulting link branding can be "click.subdomain.domain.com". The wildcard cert set up for "domain.com" will not work; you will need to set up a dedicated cert for "subdomain.domain.com" within CloudFlare.

If you have any other questions regarding enabling SSL for click and open tracking, feel free to reach out to SendGrid's Support Team for further assistance.

Have more questions? Submit a request