How does link tracking interact with HTTPS and redirects?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Every tracked link in your email is a redirect. When someone clicks, they first hit your ESP's tracking server, which logs the click, then forwards them to the final URL. That redirect chain needs to stay secure from start to finish.
Here's where problems show up: if your ESP's tracking domain uses HTTPS but your final destination URL is plain HTTP (or vice versa), browsers may block the redirect or flash a security warning. At best, the subscriber sees a warning and has to manually confirm. At worst, the browser blocks the redirect entirely and the click doesn't register in your analytics.
The most common setup issues:
- Custom tracking domain without SSL. If you've set up a branded tracking domain (like
click.yourcompany.com) but haven't applied an SSL certificate to it, the chain breaks at your tracking server. - Destination URLs on HTTP. If you're linking to old pages still running on plain HTTP, there's a secure-to-insecure jump at the end of the redirect chain.
- Multi-hop redirects. Sometimes a link goes tracking server → marketing tool → final URL. Every hop needs to be HTTPS.
Most major ESPs handle tracking domain HTTPS automatically now. But if you're using a custom tracking domain, SSL is your responsibility. Check your domain config if you're seeing unusual click drop-off, especially in privacy-conscious browsers like Firefox and Safari.
Mixed content warnings also reduce subscriber trust, which has a softer effect beyond just click tracking. A reader who hits a security interstitial is less likely to complete the action you wanted them to take. For more on how click events are recorded across the full redirect chain, that goes deeper into the mechanics.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.