SSL at Braze

A secure socket layer (SSL) encrypts a URL with HTTPS instead of HTTP. HTTPS indicates that a valid and trusted SSL or TLS certificate exists and that the website is safe to visit.

Why is SSL important?

Most domains do not require SSL, but Braze strongly recommends using SSL for these reasons.

Securing your website and links with SSL is a common practice even for companies that don’t deal directly with sensitive customer information. Users are more trusting of links that are secured with SSL, and the additional layer of authentication helps protect your data.

Necessary for click and open tracking

Braze transforms your links using your branded link tracking subdomain to track clicks and opens. By default these links begin with HTTP. Users with browsers or extensions that restrict non-secure traffic may have difficulty passing through the redirect before the destination URL, even if the URL is secure. This can cause broken images and inaccurate tracking. Apply SSL to the link tracking subdomain to confirm secure redirects.

Browser requirement

Major browsers such as Google Chrome restrict traffic through non-secure URLs to protect users. Using SSL helps confirm that content is trusted and minimizes issues like broken links and images in emails.

HSTS domains requirement

If you have an HTTP Strict Transport Security (HSTS) domain, set up SSL and configure a CDN to send required security certificates. Without SSL, image and web links break.

Acquiring an SSL certificate

Acquire an SSL certificate through a third party, usually a Content Delivery Network (CDN). A CDN hosts the certificate and serves it to the browser when a user clicks a link by redirecting traffic through the CDN to apply certificates before sending it to SendGrid or SparkPost.

To start SSL setup, contact your Braze customer success manager to initiate a full Braze email setup.

After Braze initiates setup, follow these steps:

Braze will provide DNS records to add to your domain registry.
Braze will verify if records have been added to your registry correctly.
After this, you’ll select a CDN and obtain SSL certificates from a third-party provider.
At this point, you’ll set up your CDN. Note that Braze will not be able to help troubleshoot CDN configuration. Contact your CDN provider for any further assistance.
Contact your customer success manager to get SSL turned on.

What is a CDN, and why do I need it?

A content delivery network (CDN) is a platform of servers that helps ensure quick load times of content across multiple mediums while also handling security certificates.

important:

CDN configuration always follows after getting your DNS records validated by Braze. If you have not yet initiated this step, contact your customer success manager for more information on how to get started.

For click and open tracking, delivery partners transform links using a branded subdomain and the CDN applies the SSL certificate to those transformed links. Partners often must present valid certificates to the recipient’s browser for links and images to display correctly. Because Braze doesn’t request or manage certificates, you must set this up through a CDN.

note:

If you can’t or don’t want to use the listed CDNs for SSL click and open tracking, you may set up a custom SSL configuration. Alternate CDNs or custom proxies can result in a more complex setup. Refer to SendGrid and SparkPost documentation.

Additional resources

important:

For troubleshooting your CDN configuration, contact your CDN provider.

The following table includes step-by-step guides written by ESP partners on how to configure certain CDNs. While your specific CDN may not be listed, you must make sure your CDN has the ability to apply SSL certificates.

SendGrid

SparkPost

AWS Cloudfront
CloudFlare
Fastly
KeyCDN

AWS Cloudfront
CloudFlare
Fastly
Google Cloud Platform
Microsoft Azure

For Amazon SES, refer to Option 2: Configuring an HTTPS domain and specify the AWS tracking domain by region based on your Braze cluster:

Braze US clusters: r.us-east-1.awstrack.me
Braze EU clusters: r.eu-central-1.awstrack.me

important:

When you configure your CDN’s click-tracking domain, enable the X-Forwarded-Host header to prevent potential security issues such as host header attacks. Refer to CDN documentation or your support team for steps.

Troubleshooting

While you should handle CDN configuration, certificates, and proxy issues with your CDN, use these tips to identify common SSL click tracking issues.

Domain registry issues

Run a dig command to confirm you point link tracking at the CDN. In your terminal run dig CNAME link_tracking_subdomain. Under ANSWER SECTION, it lists where your CNAME points. If it points to the email service provider (SendGrid or SparkPost) and not your CDN, reconfigure your domain registry to point to your CDN.

CDN issues

If live email links break during setup, you likely pointed DNS toward your CDN before proper configuration. This can appear as a “wrong link” error. Contact your CDN provider and review their documentation to troubleshoot configuration.

SSL enablement status

If you complete SSL setup and links still appear as HTTP, contact your Braze customer success manager to confirm Braze enabled SSL. Braze enables SSL only after all setup steps are complete.

Edit this page on GitHub

New Stuff!