HTTPS Link Tracking

By default, tracked links that use your custom subdomain as specified with the CNAME record will be generated as non-secure HTTP links. To have us generate secure HTTPS links instead, you need to configure your link tracking subdomain to point to a server that proxies our link tracking domain (track.customer.io or track-eu.customer.io depending on your account region) using a valid SSL certificate. We cannot generate secure HTTPS links without using your own custom subdomain.

For iOS or Android app links, please read the important information about setting up secure link tracking on those links in our Universal Links documentation. If you just want to enable HTTPS on regular links, we show two simpler configurations below:

 Changing your link tracking domain will cause your existing tracked links to break

If you have already configured a link tracking domain in your Customer.io workspace(s), we recommend that you continue using that domain (e.g., link.example.com) when you enable HTTPS link tracking.

  1. Log into AWS and navigate to the AWS Certificate Manager.

  2. Import or request a new SSL certificate for the domain you want us to use for your tracked links (e.g. link.example.com).

     To satisfy CloudFront…

    Your SSL certificate:

    • must be in the US East (N. Virginia) Region (us-east-1)
    • cannot be more than 2048-bit RSA (per CloudFront’s limitations
    • must cover the subdomain you are using with us for your tracked links (e.g. link.example.com)
  3. If requesting a new certificate through AWS, they will send an email to the appropriate domain owners, requesting them to approve the certificate or you can verify ownership by adding a DNS record.

    HTTPS Links - AWS Certificate Manager
    HTTPS Links - AWS Certificate Manager
  4. Ensure that the certificate is approved and issued.

  5. Navigate to AWS CloudFront.

  6. Create a new distribution.

  7. Under the Origin section, set the fields as follows:

    HTTPS Links - CloudFront Origin Settings
    HTTPS Links - CloudFront Origin Settings
    • Origin domain: track.customer.io (or track-eu.customer.io depending on your region)
    • Protocol: HTTPS Only
    • Minimum origin SSL protocol: TLSv1.2
    • Name: track.customer.io (or track-eu.customer.io depending on your region)
  8. Under the Default cache behavior section, set the fields as follows:

    HTTPS Links - CloudFront Cache Behavior Settings
    HTTPS Links - CloudFront Cache Behavior Settings
    • Allowed HTTP methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

    • Cache key and origin requests: Legacy cache settings

      • Headers: All
      • Query strings: All
  9. Under the Settings section, set the fields as follows:

    HTTPS Links - CloudFront Distribution Settings
    HTTPS Links - CloudFront Distribution Settings
    • Alternate domain names (CNAME): link.example.com (replace with your preferred link tracking domain)
    • Custom SSL certificate: Choose the appropriate ACM certificate
  10. Click a Create distribution button.

  11. Wait for the distribution status to be “Enabled”.

HTTPS Links - CloudFront Distribution Overview
HTTPS Links - CloudFront Distribution Overview
  1. Add (or update) a CNAME record in your link tracking domain’s DNS settings for the domain you are configuring (e.g., link.example.com) and point it to the Domain name shown in CloudFront for your distribution. (e.g., CHANGEME.cloudfront.net).

    The host name and value for your CNAME record will be something like:

    • CNAME record host name: link.example.com
    • CNAME record value: CHANGEME.cloudfront.net
  2. Verify that your DNS record has propagated and is now pointing to your CloudFront distribution. You can do this by checking the CNAME value at a propagation checker like WhatsMyDNS.

    whatsmydns.png
    whatsmydns.png
  3. As an additional “sanity check” you can visit your link tracking domain, followed by /health (e.g., https://link.example.com/health). If your domain is properly pointing to our API, the response body will just be {}. Anything else means there is a problem with your configuration.

    Even if you get a {} response, if anything in your proxy’s configuration modifies or misrepresents the referring host, your links may still result in an “Invalid link security token” error. Your proxy server MUST use your link tracking domain as the host header for the requests that are passed to our server.

  4. Finally, once you are sure that your distribution is properly pointing to our API, head back to Customer.io and go to your Workspace Settings for Email. If you haven’t already set up your link tracking domain (e.g. link.example.com), enter it now in the HOST NAME field and click the Verify domain button to re-validate the domain. You should now pass the HTTPS check and tracking links will use HTTPS by default.

    If past messages already have white-labeled tracked links, changing your link tracking domain will cause those existing tracked links to break.

https_lt_enabled_01.png
https_lt_enabled_01.png

When the domain is collapsed/closed, you can tell that HTTPS link tracking is enabled by looking at the LINK TRACKING section pictured below. Once enabled, your tracked links will now start with something like: https://link.example.com...

https_lt_enabled_02.png
https_lt_enabled_02.png

Set up HTTPS link tracking with Cloudflare

Cloudflare automatically handles TLS certificate generation and proxying for you, making it easy to set up HTTPS link tracking. If your link tracking domain contains more than one subdomain (e.g. a.b.example.com), you’ll need to pay for Cloudflare’s Advanced Certificate Manager, on which you can specify the subdomain you need to cover. Or, if you have a Cloudflare Business or Enterprise plan, you can upload a custom SSL certificate with the required hostnames.

When you set up link tracking with Cloudflare, your SSL/TLS mode must be set to Full. The Full (strict) mode will not work. See Cloudflare’s documentation for more information about SSL modes.

  1. In Cloudflare, go to Websites.
  2. If your domain is already present, skip to the next step. Otherwise, click Add Site and set up your Name servers and DNS records as directed by Cloudflare.
  3. Go to the DNS page and click Add record.
  4. In Customer.io, go to Settings > Workspace Settings > Email, and select your domain. Go to the Link Tracking tab, and copy the CNAME record information to your new record in Cloudflare.
    Copy your cname record from Customer.io
    Copy your cname record from Customer.io
  5. Make sure that the Proxy status is enabled (it’ll show Proxied). If your record looks like the image below, click Save.
    Copy your cname record from Customer.io to Cloudflare
    Copy your cname record from Customer.io to Cloudflare
  6. Go to the SSL/TLS tab and make sure that you’re using the Full mode.
    set your TLS to full
    set your TLS to full
  7. (Optional) If you want to record repeat opens/clicks, and you have a paid Cloudflare account, you can go to the Caching page and set your time to live (TTL) value to 10 seconds or less (effectively zero), which can help you record repeat opens/clicks. If you’re not on a paid plan, you can’t control your cache’s TTL settings.

Troubleshooting failures to verify your link-tracking domain

Cloudflare has Web Application Firewall (WAF) settings. Depending on the strength of your firewall, it may block our request to verify your domain. If you have problems, you may need to add a rule to your WAF ruleset to make an exception for our user-agent.

  1. Go to Security > WAF > Managed Rules.
  2. Click Add exception and add the following information:
    • Field: http.user_agent
    • Operator: Matches
    • Value: Customer\.io\/.*

Alternatively you can use your own server to serve HTTPS tracked links. The following instructions will guide you through setting up NGINX, however it’s possible to use other server software to accomplish this.

  1. Request a new SSL certificate for the domain you want us to use for your tracked links (e.g. link.example.com).

  2. Place the certificate chain into the file named /etc/pki/tls/certs/link.example.com.crt

  3. Place the private key into the file named /etc/pki/tls/private/link.example.com.key

  4. Create the file /etc/nginx/conf.d/link.example.com.conf, with the following content - ensuring that the host header is set to the Host Name specified in your link tracking settings in Customer.io (e.g. link.example.com). The proxy_pass URL should match your region (track.customer.io or track-eu.customer.io):

    server {
      listen 80;
      listen 443 ssl;
      server_name 'link.example.com';
      ssl_certificate '/etc/pki/tls/certs/link.example.com.crt';
      ssl_certificate_key '/etc/pki/tls/private/link.example.com.key';
      location / {
        proxy_pass 'https://track.customer.io';
        proxy_set_header 'Host' 'link.example.com';
      }
    }
  5. Update your DNS record to change the CNAME record for link.example.com to send traffic to your NGINX server. If you’re specifying the IP address of your server this will need to be an A record instead of a CNAME record.

    • CNAME or A record host name: link.example.com
    • CNAME or A record value: IP Address of your NGINX server
  6. As an additional “sanity check” you can visit your link tracking domain, followed by /health (e.g., https://link.example.com/health). If your domain is properly pointing to our API, the response body will just be {}. Anything else means there is a problem with your configuration.

    NOTE: Even if you get a {} response, if anything in your proxy’s configuration modifies or misrepresents the referring host, your links may still result in an “Invalid link security token” error. Your proxy server MUST use your link tracking domain as the host header for the requests that are passed to our server.

  7. Finally, back in Customer.io in your Workspace Settings for Email, if you haven’t already set up your link tracking domain (e.g. link.example.com), enter it now in the HOST NAME field and click the Verify domain button to re-validate the domain. You should now pass the HTTPS check and tracking links will use HTTPS by default.

    If past messages already have white-labeled tracked links, changing your link tracking domain will cause those existing tracked links to break.

    https_lt_enabled_01.png
    https_lt_enabled_01.png

    When the domain is collapsed/closed, you can tell that HTTPS link tracking is enabled by looking at the LINK TRACKING section pictured below. Once enabled, your tracked links will now start with something like: https://link.example.com

    https_lt_enabled_02.png
    https_lt_enabled_02.png
Copied to clipboard!
Is this page helpful?