We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

How to Enable HTTPS Tracking Links

Currently, Mailgun doesn't officially support HTTPS tracking links. Not to worry though - there is a workaround! It does require the use of a CDN, and we recommend utilizing CloudFlare. However - most CDNs should suffice.

Why Do I Need a CDN?

To understand why the use of a CDN is required for HTTPS tracking links, here's a quick, high-level overview of how they work is needed.

Tracking links work by utilizing a CNAME that points to mailgun.orgLinks in your email messages are then rewritten with this tracking hostname.  When your recipients then click on those links, it first sends the request to mailgun.org, and we return a redirect to the original URL.

Since we do not support HTTPS connections to mailgun.org, a CDN is needed to fill the gap between the client and mailgun.org. Essentially, the client connects to the CDN via HTTPS, the CDN connects to mailgun.org via HTTP, and the CDN relays the response from mailgun.org to the client over HTTPS.

The following are the specific steps for setting up CloudFlare as a CDN to handle Mailgun tracking links to support HTTPS.


Special Note: CloudFlare's default universal SSL certificate only supports root and 1st level subdomains.  If your tracking hostname is a 2nd level domain or higher, you'll need to contact CloudFlare to discuss your options for an SSL certificate to support the tracking hostname. 


Step 1: Create A CNAME

In your CloudFlare account:

  • Click on the DNS option and configure a new CNAME entry that points your Mailgun Tracking CNAME (e.g., email.your-domain.com) to mailgun.org. Ensure that the CNAME is configured as DNS and HTTP Proxy (CDN). The cloud image under Status should be the color orange.

Step 2: Create A Page Rule

Also in your CloudFlare account:

  • Navigate to the Page Rules settings for your domain and create a Page Rule for your Tracking CNAME (i.e., email.your-domain.com) setting SSL to Flexible. Make sure to use a wildcard after your domain for the best results (e.g., https://email.your-domain.com/*).
  • Turn this to On.

Step 3: Enable HTTPS In Mailgun (Create A Ticket Or Use The API)

Now that the above two steps are completed, HTTPS needs to be enabled within Mailgun.  There are two ways to accomplish this:

  • Create a Support ticket via the Support page of the Mailgun control panel to let us know your page rule has been created. We will then set your links to default to HTTPS instead of HTTP. 
  • Or, for users of the Mailgun APIs, the Domains API (see the docs here!) provides the web_scheme parameter, which can accept the values of HTTP or HTTPS.  For the domain in question, you will use an HTTP PUT request to set the web_scheme to HTTPS.


If any questions arise, please reach out to our Support team via the Support option in your Mailgun control panel!


Powered by Zendesk