When users click links in emails you've sent with Iterable, they're first taken to your link tracking domain. This domain tracks clicks (so you can analyze campaign engagement), sets attribution-related cookies in the browser (to help you measure campaign conversions), and finally redirects your users to their intended destinations.
Iterable's default link tracking domain is
links.iterable.com (US-based projects)
links.eu.iterable.com (EU-based projects).
However, since users may see this domain in your messages (for example, when
hovering over a link), it's a good idea for this link to be associated with your
brand. For example, something like
example.com represents your root domain).
Whatever custom link tracking domain you choose, Iterable will host it. Because of this, you'll need to configure your DNS for this domain (as described below).
For various reasons, you should almost certainly configure your link tracking domains to use HTTPS:
Sites you link to may implement HSTS, which requires incoming requests to use HTTPS. You should enable HTTPS for the initial request from your user's browser to your link tracking domain, and also for the tracking domain's redirect to the intended link destination.
At your link tracking domain, Iterable hosts files related to your mobile deep linking configuration:
assetlinks.json. For deep linking to work, iOS and Android both require these files to be served up using HTTPS.
HTTPS is a security best practice, and should be used whenever possible. Your users expect it.
In this article
To use Amazon CloudFront to implement HTTPS for your link tracking domain, follow these steps:
- Preliminary information
- Step 1: Generate an SSL certificate
- Step 2: Create and configure a CloudFront distribution
- Step 3: Wait for your CloudFront distribution to deploy
- Step 4: Confirm the configuration of your CloudFront distribution
- Step 5: Update your DNS
- Step 6: Set up your tracking domain in Iterable
Amazon CloudFront periodically changes its interface. If you spot any discrepancies in this guide, please let your customer success manager know.
Throughout this article,
<YOUR_LINK_TRACKING_DOMAIN> refers to your selected
link tracking domain. For example, something like
example.com is your root domain).
Step 1: Generate an SSL certificate
First, generate an SSL certificate for the link tracking domain. To do this, use AWS Certificate Manager (ACM) or a similar service. For more information, read Amazon's documentation.
To generate a certificate with AWS Certificate Manager and set up a CloudFront distribution, follow these steps:
If you don't already have one, set up a free AWS account at https://aws.amazon.com/console/.
Navigate to the AWS Management Console, found at https://aws.amazon.com/console/.
In the Security, Identity, & Compliance section, click Certificate Manager.
Click Request a Certificate.
If you've already requested certificates in the past, you'll instead need to click Request in the Certificate Manager.
Choose Request a public certificate and click Next.
Enter the following information:
Fully qualified domain name —
Select validation method — DNS validation - recommended
Tags — (Optional)
- Then, click Request.
On the Certificates page, load your certificate request by clicking the Refresh icon.
To open your certificate, click on its Certificate ID.
Refresh the page until the Domains section populates CNAME name and CNAME value.
In your DNS management tool, add the CNAME record provided by AWS.
In AWS, go back to the Certificates page and wait (for a few minutes) for the certificate Status to change from Pending validation to Issued.
After the certificate has been issued, continue to the next step.
Step 2: Create and configure a CloudFront distribution
To create and configure a CloudFront distribution:
Click Create Distribution.
Configure the distribution using the following settings:
|Minimum origin SSL protocol||TLSv1.2|
|Origin path||Leave blank (default)|
|Add custom header||Leave blank (default)|
|Enable Origin Shield||No (default)|
Default Cache Behavior
|Compress objects automatically||Yes (default)|
|Viewer protocol policy||HTTP and HTTPS (default)|
|Allowed HTTP methods||GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE|
|Cache HTTP methods: OPTIONS||Unchecked (default)|
|Restric viewer access||No (default)|
|Cache key and origin requests||Legacy cache settings|
|Legacy cache settings > Headers||All|
|Legacy cache settings > Query strings||All|
|Legacy cache settings > Cookies||All|
|Legacy cache settings > Object caching||Use origin cache headers (default)|
|Response headers policy||Leave blank (default)|
|Smooth streaming||No (default)|
|Field-level encryption||Leave blank (default)|
|Enable real-time logs||No (default)|
|Price class||Use all edge locations (best performance) (default)|
|AWS WAF web ACL||None (default)|
|Alternate domain names (CNAME)||
|Custom SSL certificate||Import or add the certificate that you created through ACM or through another service.|
|Custom SSL certificate > Legacy clients support||Unchecked (default)|
|Custom SSL certificate > Security policy||TLSv1.2_2021 or choose Recommended|
|Supported HTTP versions||HTTP/2 (default)|
|Default root object||Leave blank (default)|
|Standard logging||Off (default)|
- Once you confirm that everything is correct, click Create Distribution.
Step 3: Wait for your CloudFront distribution to deploy
On the CloudFront Distributions page, your distribution should have an In Progress status with a spinning arrow. When its status changes to Deployed, copy its URL (on the General tab, the Distribution Domain Name). You'll need this when updating your DNS.
Step 4: Confirm the configuration of your CloudFront distribution
To confirm your distribution's configuration, use the
openssl s_client -servername [CNAME] -connect <YOUR_CLOUDFRONT_URL>:443
If the command's output doesn't show your certificate, double-check your distribution's settings in CloudFront.
Step 5: Update your DNS
In your DNS settings, create a CNAME record, using this pattern:
<YOUR_TRACKING_DOMAIN> CNAME <YOUR_CLOUDFRONT_URL>
links.example.com CNAME c66b0cd6312.cloudfront.net
- If you're using Amazon Route 53, it's possible to use an A (alias) record
instead of a CNAME record (as noted in the Amazon Route 53 documentation).
If you plan to use an A record, make sure to pass the
User-Agentheader through, since this allows you to track and record device information.
- You'll need to set up a custom CloudFront distribution for each tracking domain in your project.
Step 6: Set up your tracking domain in Iterable
To set up your link tracking domain in Iterable:
In Iterable, navigate to Settings > Domains and set up a tracking domain (for example,
example.comis your root domain).
If you're using a single sending domain from Amazon SES, set the new tracking domain as the default. Otherwise, your project will continue to use
links.eu.iterable.com) as its default tracking domain.
Edit the new tracking domain, and toggle on Enable HTTPS.
For more information, read Email Setup.