How to set up SSL for dedicated click tracking – Klaviyo - Help Center

You will learn

Before setting up Secure Sockets Layer, also known as SSL, for dedicated click tracking, you need to set up standard click tracking.

Please review our guide to setting up dedicated click tracking to do so. After completing this crucial first step, the three most common ways that people then achieve SSL click tracking is via:

Cloudflare
Cloudfront
Fastly

While these are not your only options, this article will run through how to set this up via these three main methods.

Benefits of SSL for click tracking

A secure sockets layer, also known as SSL, is a security protocol that can be set up for your dedicated click tracking to authenticate that the tracking links’ domain is secure. This will cause your URLs to begin with HTTPS instead of the HTTP, indicating to users clicking on your links that the connection with the associated domain is secure.

We recommend setting up SSL for your dedicated click tracking, as this is best practice for increasing customer trust and security. Without SSL, some browsers may display a security warning for users clicking through your links, and customers may see issues with links and images rendering correctly.

Cloudflare

1. First, log into your Cloudflare account.

2. Then head to the DNS section.

Inside Cloudflare, the top navigation with DNS icon selected.

3. Here, you will see that both click tracking CNAME records are set to have the DNS proxy off, as signified by the gray cloud icon. Click the proxy toggle to the right of the page under Proxy status to turn on for the branding subdomain record.

In the following example, the branding subdomain is “trk.” This is also the default we recommend when setting up dedicated click tracking.

DNS Managment screen with CNAME record below setup as trk

4. Next, head to the Page Rules section of your Cloudflare account:

Inside Cloudflare, the top navigation with Page Rules icon selected.

5. Click the Create Page Rule button on the right side of the page.

6. Create a page rule for the branding subdomain, iterating upon what was discussed above — by default, we recommend “trk” as the subdomain. However, if you used a different subdomain, then we recommend reflecting those changes in the page rule as well.

When creating the page rule, make the settings enforce SSL as Full.

Create a page screen showing the URL field with trk.klaviyo.io/* and settings as SSL and Full

Cloudfront

In order to set up SSL for click tracking through AWS Cloudfront, you’ll first need to create a custom SSL certificate through the Certificate Manager.

To do this, take the following steps:

Click Request Certificate
Select Request a public certificate, then click Next

Under Fully qualified domain name, you should enter your entire click tracking domain. All other defaults can remain as they are.

Request public certificate screen with fully qualified domain name field

You may need to add DNS records to validate the certificate. If necessary, the DNS record that needs to be applied will show on the SSL certificate page.

Note that this may take 30 minutes to validate and deploy.

After creating a custom certificate, you can proceed to create a Cloudfront distribution. To do this:

First, navigate to the Cloudfront Management Portal.
Then, click Create Distribution. This will open a page with various settings. We will walk through each of these sections one by one.

Origin

The main settings to adjust under the Origin settings are:

Origin domain: sendgrid.net

Default Cache Behavior Settings

Your cache behavior settings should also match the setup below. The main settings you need to adjust in the Settings are:

Compress objects automatically: Yes
Viewer Protocol Policy: HTTP and HTTPS
Allowed HTTP Methods: GET, HEAD
Restrict Viewer Access: No
Cache and origin request settings: Legacy cache settings
Headers Requests: All
Query Strings: All
Cookies: All

Default cache behavior settings in Cloudfront

Distribution Settings

1. The main settings to adjust in the Distribution Settings are as follows:

Alternate Domain Names (CNAMEs): trk.example.com
SSL Certificate: Custom SSL Certificate

Distribution settings in Cloudfront

2. Once this is set up, click Create Distribution. At this point, the Cloudfront distribution will be ready to go and you are in the last stretch of setting up SSL for dedicated click tracking. The last thing to do is point your subdomain to this distribution.

3. In your DNS provider, create a CNAME record pointing to the domain name you see in the distribution overview.

Created Cloudfront distrubtion in the distribution overview

Fastly

1. First, navigate to Fastly.
2. If this is your first time logging in, select Get Started and then Create Service. However, if you’re logging in and already use Fastly for other services, simply click Create Service in the upper right corner of your screen.

Inside Fastly on the All Services page showing the Create Service button in the upper right.

3. Once you create the service, you will be brought to a page that will ask for your domain. Type in both your subdomain and domain. Make sure that you use the proper subdomain and domain that you used to set up dedicated click tracking prior.

Domains page showing an example of a domain name and subdomain name in the two fields below.

4. After you add your domain, head to the Hosts section and add Sendgrid.net as the host. It’s important that the port is 443 for SSL.

On the Origins page, in the Hosts section setting Sendgrid.net as the host in the section below and set 443 for SSL below this.

Final step for completion

As iterated above, the three options outlined in this article are not the only options for setting up SSL for dedicated click tracking; however, they are the more common solutions.

Regardless of how you set up SSL click tracking, after doing so, create a ticket in Klaviyo by reaching out to our support team.

Please note that chat support is not able to assist with these tickets.

Additional resources