Fix email tracking with SSL websites
Using email tracking with SSL website prevents user to perform the action with Google Chrome.
If you use SSL with HSTS, it triggers big warning in Chrome when the user click on the link http://cl.ly/image/0A373O2r3539
Email tracking in mailgun is performed by replacing links in email by a custom subdomain setup in the admin panel, ie email.domain.com which as to be configured as a CNAME for mailgun.org.
Chrome will try to access httpS://email.domain.com which will fail because the underlying server is mailgun.org and not domain.com's server.
Proposed Solution:
Instead of pointing email.domain.com => mailgun.org, configure your server for https://email.domain.com and redirect every request (with parameters) to https://mailgun.org/$requestedURI.
Then the usual mailgun tracking system can track click and redirect to the right domain.com url.
This could be easily done if there was a way to override the mailgun admin panel check for the CNAME record, ie a checkbox "I've setup a forwarding subdomain to mailgun.org"
A degrated version would be to have links replaced by https://mailgun.org/click?ID but this would probably harm deliverability for mail coming from domain.com (and not mailgun.org)
More info on SSL HSTS: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Eric Rodriguez
shared this idea
Hi all,
I’m happy to announce that we’ve released this feature to production.
For the time being, this is only available on our Scale and Enterprise plans, however, this is only during the initial launch as we are monitoring performance during initial adoption. We have plans to expand this to all of our current plans in the near future.
Please check out our blog post for more information: https://www.mailgun.com/blog/https-innovation-and-optimization
Also check out our Help Article that outlines setup: https://help.mailgun.com/hc/en-us/articles/360011566033-How-to-Enable-HTTPS-Tracking-Links
-
Viktor Nagornyy
commented
Here's a possible solution, which is what KeyCDN started doing if you use CNAME to brand URLs they serve from their network.
Use free Let's Encrypt certificate for CNAME sub-domain, this way there's no additional charges for SSLs and we are able to use HTTPS in our tracking links. Simply give us an option to enable free SSL certificate for CNAME sub-domain, and your system provisions SSL certificate for our sub-domain using Let's Encrypt.
More info on what KeyCDN did with Let's Encrypt:
https://www.keycdn.com/blog/free-ssl-certificates/It works great.
-
Uriah Galang commented
how can i apply the proposed solution it is quite confusing any visual guide to help me out thanks
-
Jacob Magnusson
commented
This is really frustrating. Do you plan to take any action on this?
Perhaps one solution would be for us users to host the subdomain and then let us do a reverse proxy to your click tracking server.
-
Philip Clifton
commented
Could this not be an api call?
we take the link hash notify mailgun that the hash was clicked.
I would like to have HSTS setup for all my subdomains.
-
Eric Rodriguez commented
Hi Travis,
I'm getting back to this.
The whole point of customizing the click tracking url is to "brand" the email and make it as "official" as the original domain name.
Since mailgun already validates the ownership of the domain through DNS checks, the argument of "phishing links" does not stand.
It's indeed good practice that mailgun validates DNS ownership, but then it should be possible to configure click tracking based on the domain name validated (after this verification step).Eric
-
arpawocky
commented
Alternative solution:
Leave out the includeSubDomains option from your HSTS header.
-
Travis Swientek
commented
Note: The proposed solution will no longer work due to restrictions Mailgun added to protect domain reputations. Instead, we recommend configuring an alternate domain for email tracking if HSTS is enabled on your domain.