Custom tracking domain: why and how to set it up
Every link in your marketing email passes through your ESP’s tracking server. By default that server sits on the ESP’s own domain — something like click.esp-provider.com. Spam filters see the same domain across thousands of senders and treat it as a shared signal. One bad neighbour and your links inherit their baggage. A custom tracking domain replaces that shared URL with your own, tying link reputation directly to your sending domain.
What a tracking domain actually does
When you enable click tracking in your ESP, every URL in the email body gets rewritten. Instead of linking directly to https://yoursite.com/pricing, the email contains something like:
https://click.esp-provider.com/track?url=https%3A%2F%2Fyoursite.com%2Fpricing&uid=abc123
The recipient clicks the link. The request hits the ESP’s tracking server, which logs the click and issues a 302 redirect to the final destination. Open tracking works the same way: a tiny pixel image loads from the tracking server, and the ESP records the open.
With a custom tracking domain, the URL changes to:
https://track.yourdomain.com/track?url=https%3A%2F%2Fyoursite.com%2Fpricing&uid=abc123
Under the hood a CNAME record points track.yourdomain.com to the ESP’s tracking infrastructure. The request still reaches the same server, but the domain visible in the email belongs to you.
Why this matters for deliverability
Gmail, Yahoo, and Outlook inspect the domains inside your email body, not just the From header. If your From domain is yourcompany.com but every link points to click.esp-provider.com, there is a domain mismatch. Filters notice. Three concrete consequences:
- Shared reputation risk. The ESP’s tracking domain is used by every customer on the platform. If another sender gets blocklisted, the tracking domain can end up on URL-based blocklists (SURBL, URIBL). Your emails inherit the hit.
- Domain alignment. DMARC checks whether the domain in the From header aligns with the domains used elsewhere in the message. When links point to a completely different domain, it weakens the overall trust signal. A custom tracking domain on your own root domain (or a subdomain of it) keeps everything consistent.
- Brand trust in the status bar. Recipients who hover over links see the URL. A domain they recognise is more likely to be clicked than a generic ESP subdomain. Click-through rate feeds back into engagement signals that mailbox providers use for placement decisions.
DNS setup: CNAME records
The exact target depends on your ESP. Create these records in your DNS panel (Cloudflare, Route53, DNSimple, or your registrar):
# Mailgun (one CNAME covers opens and clicks) track.yourdomain.com. IN CNAME mailgun.org. # SendGrid track.yourdomain.com. IN CNAME sendgrid.net. # Postmark track.yourdomain.com. IN CNAME pm.mtasv.net. # Brevo (Sendinblue) track.yourdomain.com. IN CNAME tracking.brevo.com. # Amazon SES — CNAME target is a CloudFront distribution you create yourself track.yourdomain.com. IN CNAME d111111abcdef8.cloudfront.net.
After adding the record, verify propagation:
dig CNAME track.yourdomain.com +short # Expected: the ESP's target domain # If you see nothing, wait for TTL expiry or check the record name. # Common mistake: adding "track.yourdomain.com" as the full name # in a DNS panel that already appends the zone — resulting in # "track.yourdomain.com.yourdomain.com".
SSL for the tracking domain
Tracking links must use HTTPS. An HTTP link in 2026 is a spam signal on its own. SendGrid, Postmark, and Brevo provision a certificate automatically once the CNAME is verified. Mailgun requires you to enable SSL in domain settings or upload a certificate. Amazon SES leaves it to you: create the cert in AWS Certificate Manager and attach it to your CloudFront distribution.
curl -sI https://track.yourdomain.com | head -3 # Should return HTTP/2 200 or 301/302 — not a certificate error. echo | openssl s_client -servername track.yourdomain.com \ -connect track.yourdomain.com:443 2>/dev/null | \ openssl x509 -noout -dates -subject
Tracking domain vs return-path domain
These are different records. The tracking domain appears in the body of the email and handles click/open redirects. The return-path (envelope-from, bounce domain) appears in the SMTP envelope and affects SPF alignment. Set up both. Add DKIM on top and DMARC has a consistent picture across every domain reference in your mail:
; Tracking domain (links in the email body) track.yourdomain.com. IN CNAME sendgrid.net. ; Return-path / bounce domain (envelope-from, SPF alignment) bounce.yourdomain.com. IN CNAME sendgrid.net. ; DKIM (signature alignment) s1._domainkey.yourdomain.com. IN CNAME s1.domainkey.u12345.wl.sendgrid.net.
Choosing the subdomain
Common options: track, click, go, email. Avoid reusing a subdomain already serving another purpose (such as your MX), and do not use the bare root domain. If yourdomain.com lands on a blocklist due to tracking issues, your website and corporate email go with it. A subdomain isolates the damage.
Common mistakes
Using the root domain
A CNAME on the apex domain conflicts with other records (MX, A, TXT). RFC prohibits CNAME at the apex. Some providers like Cloudflare work around it via CNAME flattening, but it is still risky for tracking. Use a subdomain.
Skipping SSL
CNAME added, custom tracking domain enabled in the ESP, but SSL not configured. Links go over HTTP or throw a certificate error. Recipients see a browser warning instead of your page.
Cloudflare proxy (orange cloud)
If you use Cloudflare, the tracking CNAME must be set to DNS only (grey cloud), not Proxied (orange cloud). Cloudflare proxying breaks the ESP’s SSL termination and can add latency to every redirect.
One subdomain for two ESPs
A CNAME can only point to one target. If you use Mailgun for transactional email and SendGrid for marketing, you need two separate subdomains: track-tx.yourdomain.com and track-mkt.yourdomain.com.
Forgetting to activate it in the ESP
DNS record created, but the custom tracking domain was never entered in the ESP panel. Emails keep going out with links on the default domain. Check that the subdomain is set in your sending settings.
Verification checklist
# 1. CNAME exists and points to the ESP dig CNAME track.yourdomain.com +short # 2. SSL works curl -sI https://track.yourdomain.com | head -3 # 3. Send a test email and inspect the source # In Gmail: "Show original" → look at links in the body # All URLs must contain track.yourdomain.com, not the ESP domain # 4. Verify SPF, DKIM, DMARC still pass dig TXT yourdomain.com +short | grep spf dig TXT s1._domainkey.yourdomain.com +short dig TXT _dmarc.yourdomain.com +short
Step 3 is the one people skip. Send a test, open the source. One link still on the ESP’s domain means the setup is not done.
In short
- 1.A custom tracking domain replaces the shared ESP domain in your email links with your own subdomain.
- 2.It is a CNAME record in DNS. Setup takes about 10 minutes.
- 3.It removes your dependency on the shared URL reputation of the ESP’s domain.
- 4.It strengthens domain alignment: all domains in the email belong to you.
- 5.Do not forget SSL, a dedicated subdomain, and activation in the ESP panel.
- 6.Set up return-path and DKIM at the same time for full alignment.
DNS is half the job
A custom tracking domain protects link reputation. If the list contains dead addresses and spam traps, no DNS configuration saves inbox placement. Hard bounces damage your domain faster than a neighbour’s blocklist hit. Before sending through your new tracking domain, make sure the list is clean. Upload your list to uChecker and get invalid addresses, risky contacts, and traps flagged in minutes.