We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

HTTPS Tracking & Links

Article Preview


    One-click HTTPS tracking links are available on all subscription plans. Tracking will occur on open, click, and unsubscribe tracking URLs. Mailgun utilizes Let’s Encrypt with HTTP-01 challenges via your existing tracking CNAME record to issue a TLS certificate. This configuration also supports HTTP Strict Transport Security (HSTS).

    The Flex plan, which is a pay-as-you-grow usage-based plan, does not include this feature.  If your account is using the Flex plan, please see the "Manual Setup" section below.


    Why do I need a CDN?

    To understand why the use of a CDN is required for HTTPS tracking links, here's a quick, high-level overview of how they work is needed.

    Tracking links work by utilizing a CNAME that points to mailgun.org.  Links in your email messages are then rewritten with this tracking hostname.  When your recipients then click on those links, it first sends the request to mailgun.org, and we return a redirect to the original URL.

    Since we do not support HTTPS connections to mailgun.org, a CDN is needed to fill the gap between the client and mailgun.org. Essentially, the client connects to the CDN via HTTPS, the CDN connects to mailgun.org via HTTP, and the CDN relays the response from mailgun.org to the client over HTTPS.


    Automated setup

    You must first ensure that you have a tracking CNAME in place pointing to mailgun.org or eu.mailgun.org if your domain is in our EU infrastructure. By default, the DNS record is "email.<domain.com>", however, the tracking hostname is configurable via the Mailgun application, so just be sure the hostname in your CNAME record matches the tracking hostname set.


    Once your CNAME record is in place, head to Sending > Domain settings (ensure you've selected the domain you wish to change) and then navigate to the Tracking section and click on the Edit button next to Tracking protocol and change the radio button from HTTP to HTTPS and hit Save. This will kick off a 2 step process; first, we'll generate a Let's Encrypt TLS certificate for your tracking domain, and then we'll switch the protocol for your URLs from HTTP to HTTPS. Give it a few moments to complete and then you're all set!


    If you're using Cloudflare Proxy, you will need to turn off Cloudflare’s proxy for your CNAME record. Instead, set it to DNS only, as we use the record to generate the certificate, to renew the certificate, and to terminate TLS every time an HTTPS link is clicked.

    If you're switching from a third-party CDN to using the automated HTTPS tracking native to Mailgun, ensure that the required CNAME record is present/updated. After that, go to the Domain Settings to switch the tracking from HTTPS to HTTP, save the change, then set the tracking back to HTTP, and save the change. This allows Mailgun to generate a TLS certificate for your tracking domain and establish the automated tracking through Mailgun.


    Manual setup

    This alternative is only needed if you are on the Flex plan, which is a pay-as-you-grow usage-based plan, or if you do not wish to use our native HTTPS tracking for your use case. Excepting the latter reason, we strongly recommend using the automated solutions above if you are on any of our subscription plans.

    The following are the specific steps for setting up CloudFlare as a CDN to handle Mailgun tracking links to support HTTPS. For other CDNs, the process will likely be similar and should be described in detail within their technical documentation.

    Important Note:
    CloudFlare's default universal SSL certificate only supports root and 1st level subdomains.  If your tracking hostname is a 2nd level domain or higher, you'll need to contact CloudFlare to discuss your options for an SSL certificate to support the tracking hostname. 

    Create a CNAME

    In your CloudFlare account:

    • Click on the DNS option and configure a new CNAME entry that points your Mailgun Tracking CNAME (e.g., email.your-domain.com) to mailgun.org. Ensure that the CNAME is configured as HTTP Proxy (CDN), which means that the cloud image under Status should be the color orange.

    Create a page rule

    Also in your CloudFlare account:

    • Navigate to the Page Rules settings for your domain and create a Page Rule for your Tracking CNAME (i.e., email.your-domain.com) setting SSL to FlexibleMake sure to use a wildcard after your domain for the best results (e.g., https://email.your-domain.com/*).
    • Turn this to On.

    Enable HTTPS in Mailgun

    Now that the above two steps are completed, HTTPS needs to be enabled within Mailgun.  There are two ways to accomplish this:

    • Navigate to Sending > Domain Settings > adjust web scheme to HTTPS instead of HTTP.
    • Or, for users of the Mailgun APIs, the Domains API (see the docs here!) provides the web_scheme parameter, which can accept the values of HTTP or HTTPS.  For the domain in question, you will use an HTTP PUT request to set the web_scheme to HTTPS.



    What happens to my existing HTTP links that were generated prior to enabling HTTPS?

    Our servers will still listen on port 80 so previous tracking links utilizing HTTP will still work.

    What happens to my existing links if HTTPS is disabled?

    We retain the generated certificate, so the links will still be valid.

    Will Mailgun rotate the SSL certificates when required (this assumes you're using our automated HTTPS feature and not setting up the CDN yourself)?

    Yes, the certificates will be auto-renewed every 60 days, as per the Let's Encrypt recommendations.


    Need Support?

    Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support section of your Mailgun Control Panel, and we'll be with you shortly!