SSL Click Tracking - CDN Configuration

At Braze, email delivery is handled by our delivery partners that support open and click reporting within the Braze dashboard. To perform this tracking over SSL, the delivery partner is required to present a valid trusted certificate to your email recipient’s browser. Braze is unable to request or manage such certificates, so this must be set up on your end through a CDN.

CDN configuration commonly follows after getting your DNS records validated by Braze. If you have not yet initiated this step, reach out to your COM or CSM for more information on how to get started.

Content Delivery Networks are a great mechanism that you can use to serve up content very quickly and easily across multiple mediums as well as handle security certificates for you. Below we have outlined and linked out to relevant CDN partner configurations and resources to help make this process easy.

Content Delivery Networks - Partners
- AWS CloudFront: Sendgrid and Sparkpost
- Cloudflare: Sendgrid and Sparkpost
- Fastly: Sendgrid and Sparkpost
- KeyCDN: Sendgrid

AWS CloudFront - Sendgrid and Sparkpost

Step 1: Set Up your Server Certificate

Either upload an existing certificate using the AWS command-line tool or approve a new certificate through your Certificate Manager service that is valid for your link whitelabel(s). e.g. and another certificate for

Step 2: Create a Distribution

Go to Cloudfront and click Create Distribution. Select Web as your delivery method. Please note you will also have to do this set up for each of the link white labels. However, it is possible to use a single distribution (see photos below) for all link white labels, as long as the SSL certificate attached to this distribution covers all subdomains.

Single Distribution

Step 3: Configure your Distribution

Set Origin Settings

  • Origin Domain Name:
  • Origin Path: leave blank
  • Origin ID: Braze_sendgrid-HSTS-email
  • Minimum Origin SSL Protocol: TLSv1.2 only
  • Origin Protocol Policy: HTTPS Only
  • Origin Response Timeout: 30
  • Origin Keep-alive Timeout: 5
  • HTTP Port: 80 (default)
  • HTTPS Port: 443 (default)

Set Default Cache Behavior

  • Origin or Origin Group: Braze_sendgrid-HSTS-email
  • Viewer Protocol Policy: HTTP and HTTPS (default)
  • Cached HTTP Methods: GET, HEAD, check OPTIONS
  • Cache and Origin Request Settings: Use legacy cache settings
  • Cache Based on Selected Request Headers: All
  • Minimum TTL: 0 (default)
  • Maximum TTL: 31536000 (default)
  • Default TTL: 86400
  • Forward Cookies: All
  • Query String Forwarding and Caching: Forward all, cache based on all

Distribution Settings

  • Log Prefix: leave blank
  • Delivery Method: Web
  • Cookie Logging: Off (default)
  • Distribution Status: Deployed
  • Price Class: Use All Edge Locations
  • AWS WAF Web ACL: leave blank
  • State: Enabled
  • Alternate Domain Names (CNAMEs): or
  • SSL Certificate: Custom SSL Certificate
  • Custom SSL Client Support: Client that Support Server Name Indication (SNI)
  • Security Policy: TLSv1.2
  • Supported HTTP Versions: HTTP/2, HTTP/1.1, HTTP/1.0 (default)
  • Enable IPv6: Enabled
  • Default Root Object: leave blank
  • Log Bucket: leave blank

Step 4: Test your Distribution

Once the Distribution is deployed, ensure that it can handle links correctly over HTTP and HTTPS. This can be done by adding an “s” to an existing HTTP link and verifying it resolves to the original URL.

Step 5: Update your DNS

Once the distribution is verified, change the DNS entry for the link white labels(s) (e.g. and to CNAME to the domain name of the Distribution.

Step 6: Next Steps

Now that you have configured CloudFront, reach out to your COM or CSM and let them know you want SSL click-tracking turned on. They will also help test that your configuration is set up correctly.

Please follow Sparkpost’s CloudFront CDN Documentation for guidance on how to configure your CDN using CloudFront.

Cloudflare - Sendgrid and Sparkpost

Step 1: Set Crypto Settings

You must first purchase an SSL certificate that matches the exact link branding record for each subdomain, for example,, A wildcard certificate that only covers one level of a subdomain (* will cause links to break.

Crytpo Settings

Step 2: Purchase SSL Certificates

Clients can purchase the “Dedicated SSL with Custom Hostnames” option. Ensure that the Certificate purchased is an “Edge Certificate”. For more information on Cloudflare’s different certificates please see here.

SSL Certificates

The ablink subdomain record will be added as custom hostnames.

Link Branding

Make sure the HTTP proxy is enabled, i.e. the cloud icon is orange.

Step 3: Set Up Page Rules

Confirm that SSL is set to Full and Page Rules are turned ON for each URL.

Page Rules

Step 4: Update DNS Settings

Make sure to point all link branding records for each subdomain to (there should be 2 CNAME records per each subdomain).

In the “Name” field, ensure you are only posting the portion of the CNAME before your domain. For example, if your CNAME is, you would only post ablink.x.


Next steps

Now that you have configured Cloudflare, reach out to your COM or CSM to get them to test your setup.

Step 1: Navigate to the DNS Tab

From your Cloudflare account, navigate to the DNS Tab in the Cloudflare Dashboard.

Step 2: Add your Domain

Add a domain and then add the following Cloudflare NS records:


These values can be found under the DNS Tab in the Cloudflare Dashboard. Checkout the Sparkpost documentation on how to use the command line to confirm your NS records have been updated.

Step 3: Set up Page Rules

Configure the appropriate page rule settings for the domain. In the Page Rules Tab, perform the following instructions:

  1. Create a page rule: Navigate to the Page Rule Tab, selecting Create Page Rule
  2. Enter your domain in this format:*
  3. Add in redirects (if necessary): Add a Setting -> Forwarding URL (you may need to specify a 301 redirect option)
  4. Configure your destination URL: Your URL will look something like this: https://<CNAME_VALUE>/$1. Replace <CNAME_VALUE> with the value displayed in the tracking domains section of the SparkPost Dashboard. Note that this varies per region. For SparkPost US, this would be; for SparkPost EU, this would be; for PMTA+Signals, refer to your user guide.
  5. Save and Deploy (turn page rule ON)

Step 4: Verify SSL Settings

Cloudflare has Universal SSL for all accounts, but it’s good to ensure that setting on the page rule is “SSL”. This is required for how Cloudflare will validate the certificate on the origin.

More information on SSL options for Cloudflare can be found here.

Step 5: Add a CNAME Entry into DNS for your Tracking Domain

The value in the record doesn’t matter; the record simply needs to exist. For example, if your tracking domain is, a CNAME value of is sufficient. Without a record to reference, the page rule never gets triggered, and the proper redirect will not occur. Please note the typical time it takes to propagate new CNAME records is often around five to ten minutes but can be longer depending on your DNS provider.

Step 6: Reach out to Braze to Update Tracking Domain API

Please reach out to a COM or CSM to complete this step for you.

Step 7: Run Test Verification

Navigate to the Tracking Domains section in the UI and click the orange “test” verification link. At this point, the process is complete. For detailed instructions and additional resources, check out Sparkpost’s CDN documentation here.

KeyCDN - Sendgrid

Please follow Sendgrid’s KeyCDN CDN Documentation for guidance on how to configure your CDN using KeyCDN.

Fastly - Sendgrid and Sparkpost

Please follow Sendgrid’s Fastly CDN Documentation for guidance on how to configure your CDN using Fastly.

Please follow Sparkpost’s Fastly CDN Documentation for guidance on how to configure your CDN using Fastly.

New Stuff!