Skip to content
OutboundQA

Infrastructure guide

Tracking domains: CNAME and SSL

What custom tracking domains are, how the CNAME to your sending tool works, how SSL gets provisioned, and why a broken certificate kills click-through.

Updated July 2, 2026 2 related tools 6 sections
On this page
  1. What a tracking domain is
  2. Why it matters for a cold email launch
  3. How to set it up
  4. What good looks like
  5. Common mistakes
  6. FAQ

Tracking domains are the most commonly broken asset in a cold email setup, and the breakage is invisible from the sender’s side. The DNS record resolves, the sending tool shows a green check, and every link in the campaign throws a certificate warning in the prospect’s browser. This guide covers what tracking domains do, how the CNAME works, how SSL gets provisioned, and how to verify both before launch.

What a tracking domain is

Open and click tracking work by rewriting. The sending tool replaces each link in your message with a link through its tracking server, logs the click, and redirects to the real destination. Opens use the same mechanism with a one-pixel image.

By default the rewritten links use the tool’s shared domain, something like track.sendingplatform.com, shared with every other customer of that platform, including the worst ones. A custom tracking domain replaces that with a domain you control:

links.yourdomain.com  CNAME  track.sendingplatform.com.

Now rewritten links read as your domain, the link domain matches the sending domain a filter sees, and your click reputation is your own instead of the platform pool’s.

Why it matters for a cold email launch

  • Shared tracking domains inherit shared reputation. When a platform’s default tracking domain lands on a URI blacklist because of other customers, every message containing it is filtered, including yours. This is the same body-domain mechanism covered in the blacklists guide.
  • Domain mismatch is a filter signal. Mail from yourdomain.com whose every link points at an unrelated platform domain fits a spam pattern. Aligned link domains read as a real sender.
  • Broken SSL kills click-through at the moment of intent. Tracking links are https://. If the tracking domain serves no certificate or the wrong one, the prospect who clicks gets a full-screen browser warning: “Your connection is not private.” Almost nobody clicks through that warning. The campaign generated the click and the infrastructure threw it away.
  • Browsers and link scanners check certificates before users do. Corporate mail security follows links at delivery time. A certificate error at scan time can move the message to spam before any human clicks.

How to set it up

Step 1: Pick a subdomain. Use a subdomain of the sending domain: links.yourdomain.com, track.yourdomain.com, or t.yourdomain.com. Never the root domain, which has its own site, and never a subdomain of your main brand domain for cold sends.

Step 2: Create the tracking domain in the sending tool. Smartlead, Instantly, and the rest all have a tracking-domain setting per workspace or sender. The tool tells you the exact CNAME target.

Step 3: Publish the CNAME.

links.yourdomain.com  CNAME  <target-from-your-tool>.

The target varies by platform and sometimes by account. Copy it from the tool, do not reuse a value from a blog post.

Step 4: Wait for SSL, then confirm it. This is the step teams skip. The platform provisions a certificate for your subdomain automatically (typically via Let’s Encrypt) after it sees the CNAME resolve. That can take minutes to a day. Until it completes, the domain serves either no HTTPS or the platform’s own certificate, and both fail in a browser.

Step 5: Verify like a prospect. Open https://links.yourdomain.com in a browser. A valid certificate for your subdomain, issued in the last months, and a redirect or platform page is a pass. A certificate warning is a launch blocker. The email deliverability checker includes the tracking-domain HTTPS check alongside the DNS records.

What good looks like

$ dig links.yourdomain.com CNAME +short
track.sendingplatform.com.

$ curl -sI https://links.yourdomain.com | head -1
HTTP/2 302

CNAME resolves to the platform, HTTPS answers with a valid certificate and a redirect. Both must be true. The first without the second is exactly the broken state that looks fine in the sending tool.

Common mistakes

  1. CNAME created, SSL never verified. The most common tracking failure. DNS green in the tool, certificate error in the browser. Always test the https:// URL directly.
  2. Launching minutes after DNS setup. Certificate provisioning lags the CNAME. Set up tracking domains a day before launch, not an hour.
  3. A record instead of CNAME. Pointing an A record at the platform’s current IP works until the platform moves, then every link dies. Use the CNAME so the platform controls resolution.
  4. CNAME plus conflicting records. A CNAME cannot coexist with other records on the same name. Leftover A or TXT records on the subdomain break resolution at some resolvers.
  5. One tracking domain shared across clients. For agencies, a shared tracking domain ties every client’s link reputation together. One tracking subdomain per client sending domain keeps the blast radius contained.
  6. Root domain as tracking domain. The root should serve your website over HTTPS (a separate sender requirement concern), not platform redirects.
  7. Forgetting the tracking domain when migrating tools. The CNAME still points at the old platform, which no longer knows the domain, and every historical and new link 404s or warns.

FAQ

Is a custom tracking domain required? No tool forces it, and small sends work without one. But shared tracking domains are a shared-fate risk, and the setup cost is one CNAME. OutboundQA treats a platform-default tracking domain as a fix worth making before launch.

Does the tracking domain need SPF or DKIM? No. It never sends mail. It needs exactly two things: a resolving CNAME and a valid certificate. Its blacklist status matters too, since the domain appears in message bodies.

Can I turn tracking off instead? Yes, and some senders disable open tracking specifically. Click tracking is usually worth keeping for campaign measurement, which is why the domain deserves the 10 minutes of setup.

How do I know SSL finished provisioning? Open the tracking URL in a browser or run the email deliverability checker. Most platforms also show certificate status next to the domain, but verify independently.

Tracking CNAME and tracking SSL are two of the 16 checks OutboundQA runs before a launch, because they are the two a sending tool’s own dashboard most often gets wrong. Check a full setup, tracking included, with the email deliverability checker.

Run the pre-flight check on your next outbound launch

Upload the domains and inboxes, get a verdict and the exact fixes, and a report you can share.