SSL at Braze
A secure socket layer (SSL) encrypts a URL with HTTPS, instead of the less secure HTTP. HTTPS in a URL indicates that a valid and trusted SSL or TLS certificate exists, and that the website is safe to visit and isn’t a source of dangerous malware.
Why is SSL important?
While most domains do not require SSL, Braze strongly recommends using SSL for these key reasons.
Securing your website and links with SSL is a common practice even for companies that don’t deal directly with sensitive customer information. Users are more trusting of links that are secured with SSL, and the additional layer of authentication helps protect your data.
Necessary for click and open tracking
At Braze, when we send out emails, we first transform your links using your branded link tracking subdomain to track user clicks and opens. By default, these links will begin with HTTP. This means that users with a browser or extension that restricts non-secure traffic may have difficulty passing through the redirect before landing at the destination URL, even if the URL is secure. This can lead to broken images and inaccurate click and open tracking throughout your emails. For this reason, it is a best practice to apply an SSL layer to the link tracking subdomain to confirm secure redirects in your emails.
Browser requirement
SSL protocols are becoming more prevalent today as major browsers like Google Chrome are starting to restrict traffic through non-secure URLs to protect their users. Companies with SSL on their website confirm with these major browsers that their content is trusted, minimizing content viewing issues like broken links and images in their emails.
HSTS domains requirement
Regardless of which browsers your users may be accessing your emails from, you must set up SSL if you have an HTTP Strict Transport Security (HSTS) domain and configure a CDN to send the necessary security certificates. Failure to set up SSL will cause both image and web links to break.
Acquiring an SSL certificate
You can acquire an SSL certificate by using a third party, usually a Content Delivery Network (CDN). A CDN can host the SSL certificate and serve it to the browser any time one of your links is clicked. This is done by redirecting the traffic through the CDN to apply necessary certificates before sending it through to our email partners SendGrid or SparkPost.
To get started with your SSL setup, reach out to your Braze customer success manager to initiate a full Braze email setup.
After Braze has initiated this setup, follow these steps:
- Braze will provide DNS records to add to your domain registry.
- Braze will verify if records have been added to your registry correctly.
- After this, you’ll select a CDN and obtain SSL certificates from a third-party provider.
- At this point, you’ll set up your CDN. Note that Braze will not be able to help troubleshoot CDN configuration. Reach out to your CDN provider for any further assistance.
- Reach out to your customer success manager to get SSL turned on.
What is a CDN, and why do I need it?
A content delivery network (CDN) is a platform of servers that help ensure quick load times of high-quality content across multiple mediums while also handling security certificates.
CDN configuration always follows after getting your DNS records validated by Braze. If you have not yet initiated this step, reach out to your customer success manager for more information on how to get started.
At Braze, to do click and open tracking, our delivery partners transform links using a branded subdomain, and the CDN applies the SSL certificate to those newly transformed links. Often, our delivery partners are required to present valid and trusted certificates to your email recipient’s browser for links and images to display correctly. Because Braze doesn’t request or manage such certificates, this must be set up on your end through a CDN.
If you are unable to or don’t wish to use the CDNs listed when setting up SSL for click and open tracking, you may set up a custom SSL configuration. Note that alternate CDNs or custom proxies may result in a more complex and nuanced setup. Refer to the SendGrid and SparkPost articles on this topic.
Additional resources
For further assistance with troubleshooting your CDN configuration, you must reach out to your CDN provider.
The following table includes step-by-step guides written by SendGrid and SparkPost on how to configure certain CDNs. While your specific CDN may not be listed, you must make sure your CDN has the ability to apply SSL certificates.
SendGrid | SparkPost |
---|---|
AWS Cloudfront CloudFlare Fastly KeyCDN |
AWS Cloudfront CloudFlare Cloudfront Fastly Google Cloud Platform Microsoft Azure |
Troubleshooting
While CDN configuration, certificates, and proxy issues should be handled with your CDN, here are some general troubleshooting tips to help identify common issues with SSL click tracking setup.
Domain registry issues
A dig command can tell you whether you are pointing your link tracking at the CDN. This can be done in your terminal by running dig CNAME link_tracking_subdomain
. After the command is run, under ANSWER SECTION
, it should list where your CNAME is pointed to. If it pointed to your chosen email service provider (SendGrid or SparkPost) and not your CDN, try reconfiguring your domain registry to point to your CDN.
CDN issues
If your live email links start breaking during setup, this generally means you’ve pointed your DNS toward your CDN without it being properly configured. This can appear as a “wrong link” error. Reach out to your CDN provider and review their documentation to help to troubleshoot your CDN configuration.
SSL enablement status
If you have completed your SSL setup and your links still appear as HTTP and not HTTPS, contact your Braze customer success manager to make sure SSL has been enabled by Braze. SSL can only be enabled by Braze after all aspects of your SSL setup have been completed.