SSL Click Tracking - CDN Configuration
At Braze, email delivery is handled by our delivery partners that support open and click reporting within the Braze dashboard. To perform this tracking over SSL, the delivery partner is required to present a valid trusted certificate to your email recipient’s browser. Braze is unable to request or manage such certificates, so this must be set up on your end through a CDN.
CDN configuration commonly follows after getting your DNS records validated by Braze. If you have not yet initiated this step, reach out to your COM or CSM for more information on how to get started.
Content Delivery Networks are a great mechanism that you can use to serve up content very quickly and easily across multiple mediums as well as handle security certificates for you. Below we have outlined and linked out to relevant CDN partner configurations and resources to help make this process easy.
If you are unable or do not wish to use the Content Delivery Network Partners listed above when setting up SSL for click and open tracking, you may set up a custom SSL configuration. Note that alternate CDNs or custom proxies may result in a more complex and nuanced setup. Check out the Sendgrid and Sparkpost documentation on this topic.
AWS CloudFront - Sendgrid
Step 1: Set Up your Server Certificate
Either upload an existing certificate using the AWS command-line tool or approve a new certificate through your Certificate Manager service that is valid for your link whitelabel(s). e.g. ablink.subdomain.customer.com and another certificate for ablink.info.customer.com.
Step 2: Create a Distribution
Go to Cloudfront and click Create Distribution. Select Web as your delivery method. Please note you will also have to do this set up for each of the link white labels. However, it is possible to use a single distribution (see photos below) for all link white labels, as long as the SSL certificate attached to this distribution covers all subdomains.
Step 3: Configure your Distribution
Set Origin Settings
- Origin Domain Name:
- Origin Path: leave blank
- Origin ID:
- Minimum Origin SSL Protocol: TLSv1.2 only
- Origin Protocol Policy: HTTPS Only
- Origin Response Timeout:
- Origin Keep-alive Timeout:
- HTTP Port:
- HTTPS Port:
Set Default Cache Behavior
- Origin or Origin Group: Braze_sendgrid-HSTS-email
- Viewer Protocol Policy: HTTP and HTTPS (default)
- Allowed HTTP Methods:
- Cached HTTP Methods:
HEAD, check OPTIONS
- Cache Based on Selected Request Headers: All
- Minimum TTL:
- Maximum TTL:
- Default TTL:
- Forward Cookies: All
- Query String Forwarding and Caching: Forward all, cache based on all
- Log Prefix: leave blank
- Delivery Method: Web
- Cookie Logging: Off (default)
- Distribution Status: Deployed
- Price Class: Use All Edge Locations
- AWS WAF Web ACL: leave blank
- State: Enabled
- Alternate Domain Names (CNAMEs):
- SSL Certificate: Custom SSL Certificate
- Custom SSL Client Support: Client that Support Server Name Indication (SNI)
- Security Policy: TLSv1.2
- Supported HTTP Versions: HTTP/2, HTTP/1.1, HTTP/1.0 (default)
- Enable IPv6: Enabled
- Default Root Object: leave blank
- Log Bucket: leave blank
Step 4: Test your Distribution
Once the Distribution is deployed, ensure that it can handle links correctly over HTTP and HTTPS using an existing link.
Step 5: Update your DNS
Once the distribution is verified, change the DNS entry for the link white labels(s) (e.g. ablink.subdomain.customer.com and ablink.info.customer.com) to CNAME to the domain name of the Distribution.
Step 6: Next Steps
Now that you have configured CloudFront, reach out to your COM or CSM and let them know you want SSL click-tracking turned on. They will also help test that your configuration is set up correctly.
Cloudflare - Sendgrid and Sparkpost
Step 1: Set Crypto Settings
You must first purchase an SSL certificate that matches the exact link branding record for each subdomain, for example, ablink.m.example.com, ablink.x.example.com. A wildcard certificate that only covers one level of a subdomain (*.level-ex.com) will cause links to break.
Step 2: Purchase SSL Certificates
Clients can purchase the “Dedicated SSL with Custom Hostnames” option. Ensure that the Certificate purchased is an “Edge Certificate”. For more information on Cloudflare’s different certificates please see here.
The ablink subdomain record will be added as custom hostnames.
Make sure the HTTP proxy is enabled, i.e. the cloud icon is orange.
Step 3: Set Up Page Rules
Confirm that SSL is set to Full and Page Rules are turned ON for each URL.
Step 4: Update DNS Settings
Make sure to point all link branding records for each subdomain to sendgrid.net (there should be 2 CNAME records per each subdomain).
In the “Name” field, ensure you are only posting the portion of the CNAME before your domain. For example, if your CNAME is
ablink.x.example.com, you would only post
Now that you have configured Cloudflare, reach out to your COM or CSM to get them to test your setup.
Step 1: Navigate to the DNS Tab
From your Cloudflare account, navigate to the DNS Tab in the Cloudflare Dashboard.
Step 2: Add your Domain
Add a domain and then add the following Cloudflare NS records:
1 2 NS aron.ns.cloudflare.com NS peyton.ns.cloudflare.com
These values can be found under the DNS Tab in the Cloudflare Dashboard. Checkout the Sparkpost documentation on how to use the command line to confirm your NS records have been updated.
Step 3: Set up Page Rules
Configure the appropriate page rule settings for the domain. In the Page Rules Tab, perform the following instructions:
- Create a page rule: Navigate to the Page Rule Tab, selecting Create Page Rule
- Enter your domain in this format: track.yourdomain.com/*
- Add in redirects (if necessary): Add a Setting -> Forwarding URL (you may need to specify a 301 redirect option)
- Configure your destination URL: Your URL will look something like this:
<CNAME_VALUE>with the value displayed in the tracking domains section of the SparkPost Dashboard. Note that this varies per region. For SparkPost US, this would be spgo.io; for SparkPost EU, this would be eu.spgo.io; for PMTA+Signals, refer to your user guide.
- Save and Deploy (turn page rule ON)
Step 4: Verify SSL Settings
Cloudflare has Universal SSL for all accounts, but it’s good to ensure that setting on the page rule is “SSL”. This is required for how Cloudflare will validate the certificate on the origin.
More information on SSL options for Cloudflare can be found here.
Step 5: Add a CNAME Entry into DNS for your Tracking Domain
The value in the record doesn’t matter; the record simply needs to exist. For example, if your tracking domain is
track.example.com, a CNAME value of
example.com is sufficient. Without a record to reference, the page rule never gets triggered, and the proper redirect will not occur. Please note the typical time it takes to propagate new CNAME records is often around five to ten minutes but can be longer depending on your DNS provider.
Step 6: Reach out to Braze to Update Tracking Domain API
Please reach out to a COM or CSM to complete this step for you.
Step 7: Run Test Verification
Navigate to the Tracking Domains section in the UI and click the orange “test” verification link. At this point, the process is complete. For detailed instructions and additional resources, check out Sparkpost’s CDN documentation here.
KeyCDN - Sendgrid
Please follow Sendgrid’s KeyCDN CDN Documentation for guidance on how to configure your CDN using KeyCDN.