HTTPS Link Tracking
UpdatedBy default, tracked links that use your custom subdomain as specified with the CNAME record are basic HTTP links. You can enable HTTPS link tracking by configuring your link tracking and we’ll automatically generate a valid SSL certificate and proxy links to our link tracking domain for you.
How it works
We generated a unique URL for any link you track. This link proxies through our link tracking domain and then to the ultimate destination. That’s how we track clicks!
But for HTTPS link tracking, we need to use a valid SSL certificate to prove that the proxy is secure—so that your audience, browsers, and any security software understands that the link is safe.
In this case, we’ll generate a record you can add to your DNS provider that points to our link tracking domain and we’ll generate a valid SSL certificate for you.
This feature affects domains added after October 7, 2025
Before October 8, 2025, we didn’t generate a valid SSL certificate for you. You would’ve had to set up your own SSL certificate and proxy through a service like Cloudflare or tool like NGINX. If you add a domain on or after October 7, 2025, we’ll generate a valid SSL certificate for you so you don’t need to set up your own proxy.
Set up HTTPS link tracking
Go to Settings > Workspace Settings > Email, and select your domain.
Select your domain and click the Link Tracking tab.
Update the hostname if you want to change the subdomain for tracked links.
Copy the CNAME record to your DNS provider. If you use a provider like Cloudflare, make sure that the Proxy status is disabled. We’re going to generate the certificate and proxy the links for you.
Return to Customer.io and click Verify domain.
Like domain verification, this process can take up to 72 hours depending on your DNS provider but typically happens in minutes. If you see a note that we’re provisioning your certificate when you verify your domain, that means that the domain is verified but it’ll take up to 10 minutes for us to generate the certificate and proxy your links.
What happens if I change my link tracking domain?
Changing your link tracking domain will cause your existing tracked links to break.
If you already configured a link tracking domain, you should also use that domain (like link.example.com) when you enable HTTPS link tracking.
Failure to generate a certificate
If your domain provider has a Proxy setting enabled for the link tracking domain’s CNAME record, we won’t be able to generate and handle the certificate for your links. Disable this setting and click Verify domain again.
Legacy HTTPS link tracking
If you added your domain before October 7, 2025, you had to set up your own SSL certificate and proxy through a service like Cloudflare or tool like NGINX.
We have instructions for some common services below.
Set up HTTPS link tracking with Cloudflare
Cloudflare automatically handles TLS certificate generation and proxying for you, making it easy to set up HTTPS link tracking. If your link tracking domain contains more than one subdomain (e.g. a.b.example.com), you’ll need to pay for Cloudflare’s Advanced Certificate Manager, on which you can specify the subdomain you need to cover. Or, if you have a Cloudflare Business or Enterprise plan, you can upload a custom SSL certificate with the required hostnames.
When you set up link tracking with Cloudflare, you can set your SSL/TLS settings to either Full or Full (strict). Full mode is more flexible because you can use either e.customeriomail.com or track.customer.io in your CNAME. With Full (strict) mode, you must use track.customer.io because it requires that the certificate common name and alternate name have the same root domain, which would be “customer.io” in this case. See Cloudflare’s documentation for more information about SSL modes.
In Cloudflare, go to Websites.
If your domain is already present, skip to the next step. Otherwise, click Add Site and set up your Name servers and DNS records as directed by Cloudflare.
Go to the DNS page and click Add record.
In Customer.io, go to Settings > Workspace Settings > Email, and select your domain. Go to the Link Tracking tab, and copy the CNAME record information to your new record in Cloudflare.
Make sure that the Proxy status is enabled (it’ll show Proxied). If your record looks like the image below, click Save.
Go to the SSL/TLS tab and make sure that you’re using the Full mode.
(Optional) If you want to record repeat opens/clicks, and you have a paid Cloudflare account, you can go to the Caching page and set your time to live (TTL) value to 10 seconds or less (effectively zero), which can help you record repeat opens/clicks. If you’re not on a paid plan, you can’t control your cache’s TTL settings.
In your Customer.io Workspace Settings under Email, set up your link-tracking domain if you haven’t already. Enter your domain in the HOST NAME field and click Verify domain to re-validate the domain. You should now pass the HTTPS check and tracking links will use HTTPS by default.
If past messages already have white-labeled tracked links, changing your link tracking domain will cause those existing tracked links to break.
When the domain is collapsed/closed, you can tell that HTTPS link tracking is enabled by looking at the LINK TRACKING section pictured below. Once enabled, your tracked links will now start with something like: https://link.example.com…
Cloudflare WAF settings
Cloudflare has Web Application Firewall (WAF) settings. Depending on the strength of your firewall, it may block our request to verify your domain. If you have problems, you may need to add a rule to your WAF ruleset to make an exception for our user-agent.
- Go to Security > WAF > Managed Rules.
- Click Add exception and add the following information:
- Field:
http.user_agent - Operator: Matches
- Value:
Customer\.io\/.*
- Field:
Cloudflare Bulk redirects
Make sure you don’t redirect requests away from the subdomain that you set up HTTPS link tracking for/on. In your Cloudflare configuration settings, you may need to disable the “include subdomains” option for Bulk Redirects.
Setting up HTTPS Link Tracking with Amazon CloudFront
Log into AWS and navigate to the AWS Certificate Manager.
Import or request a new SSL certificate for the domain you want us to use for your tracked links (e.g.
link.example.com).To satisfy CloudFront…
Your SSL certificate:
- must be in the US East (N. Virginia) Region (us-east-1)
- cannot be more than 2048-bit RSA (per CloudFront’s limitations
- must cover the subdomain you are using with us for your tracked links (e.g.
link.example.com)
If requesting a new certificate through AWS, they will send an email to the appropriate domain owners, requesting them to approve the certificate or you can verify ownership by adding a DNS record.
Ensure that the certificate is approved and issued.
Navigate to AWS CloudFront.
Create a new distribution.
Under the Origin section, set the fields as follows:
- Origin domain: track.customer.io (or track-eu.customer.io depending on your region)
- Protocol: HTTPS Only
- Minimum origin SSL protocol: TLSv1.2
- Name: track.customer.io (or track-eu.customer.io depending on your region)
Under the Default cache behavior section, set the fields as follows:
Allowed HTTP methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
Cache key and origin requests: Legacy cache settings
- Headers: All
- Query strings: All
Under the Settings section, set the fields as follows:
- Alternate domain names (CNAME):
link.example.com(replace with your preferred link tracking domain) - Custom SSL certificate: Choose the appropriate ACM certificate
- Alternate domain names (CNAME):
Click a Create distribution button.
Wait for the distribution status to be “Enabled”.
Add (or update) a CNAME record in your link tracking domain’s DNS settings for the domain you are configuring (e.g.,
link.example.com) and point it to the Domain name shown in CloudFront for your distribution. (e.g., CHANGEME.cloudfront.net).The host name and value for your CNAME record will be something like:
CNAMErecord host name:link.example.comCNAMErecord value: CHANGEME.cloudfront.net
Verify that your DNS record has propagated and is now pointing to your CloudFront distribution. You can do this by checking the CNAME value at a propagation checker like WhatsMyDNS.
As an additional “sanity check” you can visit your link tracking domain, followed by
/health(e.g.,https://link.example.com/health). If your domain is properly pointing to our API, the response body will just be{}. Anything else means there is a problem with your configuration.If anything in your proxy’s configuration modifies or misrepresents the referring host, your links may result in Invalid link security token errors—even if you get a
{}response. Your proxy server MUST use your link tracking domain as the host header for the requests that are passed to our server.Finally, once you are sure that your distribution is properly pointing to our API, head back to Customer.io and go to your Workspace Settings for Email. If you haven’t already set up your link tracking domain (e.g.
link.example.com), enter it now in the HOST NAME field and click the Verify domain button to re-validate the domain. You should now pass the HTTPS check and tracking links will use HTTPS by default.If past messages already have white-labeled tracked links, changing your link tracking domain will cause those existing tracked links to break.
When the domain is collapsed/closed, you can tell that HTTPS link tracking is enabled by looking at the LINK TRACKING section pictured below. Once enabled, your tracked links will now start with something like: https://link.example.com...
Set up HTTPS link tracking with Fastly CDN
Fastly is a content delivery network (CDN) and can proxy requests to Customer.io to support HTTPS tracked links.
This process assumes you’ve already set up your domain in Fastly. If you haven’t done that, you’ll want to do that first in your Fastly dashboard under Security > TLS Management > Domains.
- In Fastly, go to CDN and click Create a CDN Service.
- Give your service a name.
- Enter the domain you want to use for your tracked links (e.g.
link.example.com). - Under Add an origin, enter
track.customer.ioortrack-eu.customer.io(depending on your account region). - Disable the Override default host setting. We match the host header to your branded tracking domain for security purposes. If Fastly overrides the host, we’ll think that the link poses a security risk and return an
Invalid Security Tokenerror! - Click Activate. It may take a minute or two for your CDN to finish activating. Then your links should be proxied through Fastly and use HTTPS by default.
- If you haven’t already set up your link tracking domain in Customer.io, go to Settings in the upper right > Workspace Settings > Email.
- On your domain, go to Actions , click Edit and go to Link Tracking to set your domain. Then click Verify domain.
If you already set up your CDN, and the Override default host setting enabled, you can edit the Override host setting for your CDN and set it to your domain or leave it blank.
Setting up HTTPS Link Tracking with NGINX
Alternatively you can use your own server to serve HTTPS tracked links. The following instructions will guide you through setting up NGINX, however it’s possible to use other server software to accomplish this.
Request a new SSL certificate for the domain you want us to use for your tracked links (e.g.
link.example.com).Place the certificate chain into the file named
/etc/pki/tls/certs/link.example.com.crtPlace the private key into the file named
/etc/pki/tls/private/link.example.com.keyCreate the file
/etc/nginx/conf.d/link.example.com.conf, with the following content - ensuring that the host header is set to the Host Name specified in your link tracking settings in Customer.io (e.g.link.example.com). Theproxy_passURL should match your region (track.customer.ioortrack-eu.customer.io):Use
https://track-eu.customer.ioif you’re in our EU data regionIf you use the wrong regional URL in the
proxy_passfield, we won’t be able to validate your link-tracking domain in later steps.server { listen 80; listen 443 ssl; server_name 'link.example.com'; ssl_certificate '/etc/pki/tls/certs/link.example.com.crt'; ssl_certificate_key '/etc/pki/tls/private/link.example.com.key'; location / { proxy_pass 'https://track.customer.io'; proxy_set_header 'Host' 'link.example.com'; } }Update your DNS record to change the CNAME record for
link.example.comto send traffic to your NGINX server. If you’re specifying the IP address of your server this will need to be anArecord instead of aCNAMErecord.CNAMEorArecord host name:link.example.comCNAMEorArecord value: IP Address of your NGINX server
As an additional “sanity check” you can visit your link tracking domain, followed by
/health(e.g.,https://link.example.com/health). If your domain is properly pointing to our API, the response body will just be{}. Anything else means there is a problem with your configuration.If anything in your proxy’s configuration modifies or misrepresents the referring host, your links may result in Invalid link security token errors—even if you get a
{}response. Your proxy server MUST use your link tracking domain as the host header for the requests that are passed to our server.In your Customer.io Workspace Settings under Email, set up your link-tracking domain if you haven’t already. Enter your domain in the HOST NAME field and click Verify domain to re-validate the domain. You should now pass the HTTPS check and tracking links will use HTTPS by default.
If past messages already have white-labeled tracked links, changing your link tracking domain will cause those existing tracked links to break.
When the domain is collapsed/closed, you can tell that HTTPS link tracking is enabled by looking at the LINK TRACKING section pictured below. Once enabled, your tracked links will now start with something like: https://link.example.com…