One of the many benefits of sending emails with Twilio SendGrid (TSG) is our ability to track customer engagement data for you. This provides valuable insights into the performance of your email program and the behavior of your recipients. Click tracking and open tracking are 2 of many valuable metrics that help measure customer engagement.
However, click tracking alone isn’t a complete solution. To ensure that your link performs optimally—meaning that it looks legit to your recipients, web servers, and web browsers—you’ll need to implement link branding and SSL click tracking.
In this article, we’ll explore the purpose of SSL click tracking and provide step-by-step instructions on how to implement it.
When you enable click tracking and open tracking in your account, TSG can track clicks and opens on your emails back to the Console or post the data to a webhook URL, where you can review and analyze the data any way you see fit. TSG can accomplish this by redirecting or wrapping links in your emails, ensuring any clicks on these links report back to your account. Any time there’s redirecting or wrapping of a link, it changes the appearance of that link and can sometimes cause concern for your recipients if they don’t recognize the domain in the links.
TSG alleviates this concern by utilizing a concept we call link branding. Link branding “brands” all the click-tracked links and open-tracked images in your emails with your domain instead of the default sendgrid.net domain (e.g., your customer will see www.yourdomain.com/link instead of www.sendgrid.net/link), allowing customers to see links that align with your brand.
Below are some examples of how a link changes as you introduce clicking tracking and link branding.
Have you or your recipients ever attempted to open a link in an email but clicking on the link resulted in the following error?
That’s SSL click tracking at work, and it means the link you’re trying to access has a missing, outdated, or invalid security certificate, so your browser has blocked you from accessing it.
To define SSL click tracking, we have to start with the first part: Secure Sockets Layer (SSL) is a security protocol that creates an encrypted link between a web server and a web browser. It ensures that all transferred data remains confidential.
Think of SSL like a passport. If everything is valid and up to date on a passport, the traveler can go through customs to enter the borders of the desired country. Similarly, if an SSL certificate is valid, the link will resolve as intended.
SSL click tracking allows you to utilize TSG click tracking with your branded links while providing secure link encryption for your recipients.You’ll see errors like the one above when links you provide in your email content pass to TSG as HTTPS without SSL click tracking enabled.
For example, when links process through our system with your link branding, these get encrypted as HTTP. This indicates a misalignment between the security encryption level of your links and the security encryption level of the browser attempting to resolve them. To send HTTPS links branded with your domain through TSG, you need to set up SSL for click tracking and have our team enable the setting on your account, ensuring your links will pass through as HTTPS.
First, when a recipient clicks on a link with SSL click tracking encryption from your TSG account, the link directs them to a Content Delivery Network (CDN) that hosts the SSL certificate. A server with a custom SSL configuration may also host this certificate, but it’s most commonly implemented with a CDN.
The browser then checks the validity of the certificate before moving on to the final destination of the link address. If everything checks out, the recipient lands at the proper site with a click tracked in your TSG account.
However, there are a couple of important things to understand as you begin setting up SSL click tracking. First of all, the majority of this setup occurs outside the TSG platform and consists of CDN and DNS configurations that TSG doesn’t have the scope to control or maintain for you.
Second, the only thing that TSG has direct influence on with this setup is whether your encoded, branded links are HTTP or HTTPS encrypted. The SSL feature encrypts the connection between the recipient clicks and open actions, which allows TSG to better protect user data. Since the “S” in HTTPS indicates SSL encryption, with SSL click tracking enabled on your account, TSG just adds an “S” to your branded links. However, the successful resolution of these HTTPS links is up to the configurations on your CDN and DNS.
To send secure links branded with your domain, you’ll need a valid SSL certificate for your branded link domain (e.g., url123.domain.com) to provide publicly, ensuring the links check out and you can send them securely in emails over the internet. SSL certificates are available for purchase and hosting through many CDN and DNS providers, such as Cloudflare, KeyCDN, GoDaddy, or Namecheap, but not available for purchase or hosting through TSG.
Next, you’ll need to complete the link branding process in your TSG Console for the domain that you wish to send your emails. Once your link branding is successfully verified, be sure to not click Verify again. Since the SSL process requires you to change the DNS configuration of the CNAME records for your link branding once it’s successfully verified, clicking Verify again after this change will cause link branding to fail in your TSG account.
This is important because the TSG platform will only apply a verified link branding domain in the Console. Failed branded link instances will also fail to wrap your links correctly.
Now that link branding is complete, navigate to your CDN and prepare a proxy for your branded link domain. Set that proxy to forward to sendgrid.net. This step can vary between CDN providers, and it’s not within the scope of TSG to advise on the exact details of how to accomplish this with every CDN provider. You’ll also need to ensure that your SSL certificate is valid and properly hosted on your CDN, although some DNS providers will provide CDN and SSL services to make things easier.*
*For reference, here's the documentation specific to the Cloudflare and KeyCDN platforms. It’s important to understand that this documentation may not be up to date with any changes that either of these providers have made or continue to make with the platforms. For direct assistance with this, it’s best to reach out to your CDN provider directly.
As you recall from Step 2, link branding consists of 2 CNAME records that you install on your DNS. Take note of the first CNAME record generated within the TSG Console, as you’ll now change its value in your DNS. To do this, within your DNS host, you’ll want to change the “points to,” “value,” or “target” (depending on your provider) from sendgrid.net (needed to verify link branding) to your CDN proxy prepared in the previous step.
Only change this for the first CNAME record generated in the TSG Console for link branding. The second CNAME record should remain pointed to sendgrid.net in your DNS.
With your CDN and DNS configurations complete, it’s time to test your configuration to ensure things properly forward.
1. To check that your forwarding and proxy setup are correct so far, run a dig command in the terminal to check that the first CNAME resolves at your CDN and not sendgrid.net. For a dig in MacOS X, the command would be:
dig cname mail.domain.com
In Windows, using the command prompt (e.g., cmd.exe), an example of the command would be:
nslookup -q=CNAME example.com
If “sendgrid.net” is in the answer or authority sections of your query, you’ll need to double-check that your first CNAME in your DNS points to your CDN and not sendgrid.net. Now is also a good time to remind you not to click Verify on your link branding in the TSG Console again.
2. The second way to test this, prior to reaching out to TSG Support, is to send an email through your TSG account that includes a click-tracked link and change it to HTTPS to ensure it resolves.
To do this, be sure to enable click tracking for the send, then send an email to yourself and copy the link address from the test email once it hits your inbox. Paste that link into a text editor and make one small change: add “S” to HTTP to mimic a securely encrypted link (e.g., HTTPS).
Once your link is HTTPS, paste it back into your browser URL bar and check to see if it resolves. If it does, your SSL setup is complete and you’re ready to have TSG enable the setting on your account. If you receive an error like the one pictured above, your CDN configuration may need adjusting.
The last step in this process is to reach out to TSG Support to have them test and enable SSL click tracking on your account. This is a setting that only our team can enable, and successfully completing the above tests will save you a lot of time. It’s also important to note that SSL click tracking is an account-wide setting—it applies to all links sent through an account with an enabled setting.
Also, if you require this setting on subuser accounts, you’ll need to enable this setting on each subuser individually. While the setting isn’t adopted from your parent account, you can apply it on subuser accounts that have link branding domains assigned to them from your parent account.
Note that TSG is quite limited in the direct support we can offer if something within your CDN or DNS needs reconfiguration, especially regarding your SSL setup changes and link breaks. Changes happen for many reasons, and it’s important to be aware of the scope TSG has in assisting.
For example, at times, TSG may urge you to reach out to your CDN or DNS providers for assistance with your specific SSL configuration simply due to the fact that we’re unable to advise you on the setup with outside third-party providers. That said, the experts in our Support team have a ton of experience with helping customers set up SSL click tracking.
Your recipients might still see privacy or security errors when clicking links in emails sent with your TSG account even if you only include HTTP links (not HTTPS) in your email content. This can occur if you have HTTP Strict Transport Security (HSTS) enabled for your website domain. HSTS forces secure encryption on any links pertaining to your website domain.
With this setting configured, any links for your website domain will be forced to HTTPS even if the original link you tried to send was an HTTP. If this is the case, you have 2 options:
The first (and recommended) option is to go through the above process to configure SSL click tracking on your TSG account. This will maintain the security for your website domain via the HSTS configuration and allow for HTTPS links to resolve.
The second option is to disable HSTS for your website domain if you do not wish to configure SSL click tracking on your TSG account. This second option is less secure, which is why we advise you to reach out to your CDN provider or your website admin for more information on HSTS.
If you don’t want to rely on a CDN when setting up SSL for click and open tracking, you can set up a custom SSL configuration. However, you’ll still need to set up and validate link branding on your account. Once that’s complete, follow the instructions found in this documentation to configure your custom SSL setup. After you’ve finished that, you’ll need to reach out to our Support team to enable SSL click tracking on your account.
Now that you know what SSL click tracking is and how to configure it, you’re ready to send secure links in your emails with Twilio SendGrid. Twilio SendGrid helps you utilize SSL click tracking to combine valuable engagement metrics with top-level security for you as the sender and your recipients to make your email program the best it can be!
If you’d like to explore options for tailored assistance with your email program, our Professional Services team is ready and waiting to assist you.
