Mailjet allows you to secure your tracking URLs (open, click, and unsubscribe) by enabling HTTPS with a simple one-click solution. We highly recommend using HTTPS to ensure maximum security for your tracking links.
We use Let's Encrypt with HTTP-01 challenges through your existing tracking CNAME record to issue a TLS certificate. This setup also supports HTTP Strict Transport Security (HSTS) for added security.
Setting Up a Customized Tracking Link
To use HTTPS for your tracking links, you must first set up a customized tracking link. You can learn how to do this here. To utilize HTTPS, ensure that your CNAME record points to t.mailjet.com
.
Once your customized tracking link and CNAME record are configured, you will see a dropdown option for HTTP/HTTPS on the same settings page:
Choose HTTPS from the dropdown. If you wish to update the URLs for images that were previously uploaded in your templates, check the relevant checkbox and click Update. Please note that this will not modify URLs for campaigns that are already active, and the update process may take some time. Be sure not to navigate away from the page until the process is complete.
Once you select HTTPS, three actions occur:
- A Let's Encrypt TLS certificate is generated for your tracking domain.
- The URLs for your tracking links are updated from HTTP to HTTPS.
- If selected, previously uploaded image URLs are updated to HTTPS in your templates.
Give it a few moments to complete, and then you're all set!
Cloudflare Proxy Configuration
If you manage your DNS with Cloudflare, you need to turn off Cloudflare's proxy for your CNAME record and set it to DNS only. This is required because we use the CNAME record to generate and renew the certificate, as well as to terminate TLS whenever an HTTPS link is clicked.
Setting Up CAA Records
If you've published a Certification Authority Authorization (CAA) record for your domain, ensure it includes issue: letsencrypt.org
to allow Mailjet to generate an SSL certificate for your subdomain.
-
Root Domain Level CAA Record: The CAA record should be set at the root domain level (e.g.,
yourdomain.com
) to cover all subdomains. -
Specific Subdomains: If you’re using a specific subdomain (e.g.,
subdomain1.yourdomain.com
) for HTTPS tracking, place the CAA record at the higher level (yourdomain.com
) since placing it directly on the subdomain with an existing CNAME may not be allowed.
Examples
-
Using a Subdomain for HTTPS Tracking: If you want to use
subdomain1.yourdomain.com
as your custom HTTPS tracking host, point the CNAME record tot.mailjet.com
. Set the CAA record atyourdomain.com
. -
Using a Fourth-Level Domain: If you’re working with a domain like
subdomain2.subdomain1.yourdomain.com
, set the CAA record atsubdomain1.yourdomain.com
oryourdomain.com
. The CAA checks are recursive and start from the subdomain, moving up to the root.
FAQ
-
What happens to my existing HTTP links after enabling HTTPS?
Your existing HTTP tracking links will continue to work since our servers still listen on port 80. -
What happens to my existing links if HTTPS is disabled?
The generated certificate will still be retained, so existing HTTPS links will remain valid. -
Will Mailjet automatically renew SSL certificates?
Yes, Mailjet will auto-renew SSL certificates every 60 days as per Let's Encrypt recommendations.