- Every link in your email is rewritten by your ESP to a tracking URL on a shared domain. By default, that domain is shared with every other sender on the platform, including spammers, which exposes your campaigns to reputation damage you did not cause.
- Corporate email security gateways increasingly block, rewrite, or strip generic ESP tracking domains like sendgrid.net, mailgun.org, and rs6.net. Mail still delivers, but the links no longer work and click tracking goes dark.
- A custom tracking domain is a subdomain you control (like links.yourbrand.com) that points via CNAME to your ESP. Setup takes 15 minutes and isolates your tracking reputation from other senders.
- The three most common setup failures are Cloudflare proxy enabled on the CNAME, CAA records blocking SSL provisioning, and SSL/HTTPS not enabled in the ESP after DNS propagates.
- Custom tracking domains improve click rates measurably (typically 5-20%), reduce spam folder placement, and are effectively mandatory for B2B senders whose recipients sit behind corporate filtering.
When you write an email and include a link to your website, that link is not what your recipient sees in their inbox. Your ESP rewrites every URL in the message to a tracking redirect that hits the ESP's servers first, logs the click, and then forwards the user to the destination. This is how click tracking works at every major email platform: Mailchimp, SendGrid, Brevo, Klaviyo, HubSpot, ActiveCampaign, Postmark when configured for it, and dozens of smaller services.
The default tracking redirect uses a domain shared by every customer of that ESP. track.mailchimp.com, click.sendgrid.net, email.brevo.com, trk.klaviyomail.com. Every link in every email from every customer on that platform funnels through the same domain. This made sense when ESPs were small and curated. In 2026, it is a deliverability liability that quietly damages campaigns at most senders who never realize the cost.
This guide explains exactly how tracking domains affect deliverability, what corporate filters do to them, how to set up a custom tracking domain correctly, and the specific configuration bugs that break implementations.
How Link Tracking Actually Works
Every ESP performs the same operation when you send a campaign. As the message is being assembled, the platform parses your HTML, finds every href attribute, and rewrites each URL. A link to https://yourdomain.com/sale becomes something like:
https://click.espdomain.com/CL0/aHR0cHM6Ly95b3VyZG9tYWluLmNvbS9zYWxl/1/01010195a4b8c2d3?token=...The base64 blob encodes your destination URL. The token identifies the specific recipient and campaign. When the recipient clicks, their browser makes a request to click.espdomain.com, the ESP logs the click event, and a 302 redirect sends the browser to your actual destination.
The same rewriting happens for tracking pixels (the invisible image that fires an "open" event), unsubscribe links, web view URLs, and any other instrumented element in the message.
Why Shared Tracking Domains Are a Reputation Liability
The fundamental problem with shared tracking domains is the same as the problem with shared IP pools: you inherit the reputation of every other sender using that domain. The difference is that shared IPs at well-managed ESPs are actively policed and segmented; shared tracking domains usually are not.
When a spammer signs up for an ESP and sends abusive mail, their tracking URLs hit the same domain as yours. Recipients who get phishing or scam email click "Report Spam." Filters analyze the spam and notice that click.espdomain.com appears in malicious traffic. The domain accumulates a negative reputation. Then your perfectly legitimate marketing email arrives with links that resolve to the same domain, and filters apply the accumulated negative reputation to your campaign.
There are three specific failure modes this causes:
Domain-Level Blacklisting
If enough spam flows through a tracking domain, the domain itself ends up on URL blocklists like SURBL, URIBL, Spamhaus DBL, or commercial threat intelligence feeds. Any email containing links to that domain gets filtered as spam regardless of how legitimate the sender is.
SURBL and similar blocklists are checked at delivery time by virtually every mail server in production. A blocked tracking domain can take a sender's inbox placement from 95% to under 30% overnight, with no warning and no way for the individual sender to fix the underlying blocklist entry.
Corporate Filters Stripping or Rewriting Links
Modern secure email gateways (Proofpoint, Mimecast, Microsoft Defender) inspect every link in inbound mail. When they see a generic ESP tracking domain, they often do one of three things: rewrite the URL to wrap it in their own click-time security check, strip the link entirely if the domain reputation is poor, or quarantine the message.
For B2B senders, this is the single most common cause of "the link worked when I tested it but recipients are saying it does not." Your link works because Gmail does not aggressively rewrite generic ESP tracking URLs. The same link in the same email lands at a corporate Outlook recipient running Mimecast, gets rewritten to a Mimecast URL that fails to resolve correctly, and the recipient sees a broken link.
Recipient Trust Damage
When recipients hover over a link in your email and see a URL that does not match your brand, a meaningful percentage hesitate to click. Phishing awareness training has taught users to inspect URLs before clicking, and track.unfamiliardomain.com looks exactly like what a phishing email would use. You lose clicks not because of filtering but because of suspicion.
Critical for B2B senders: Corporate users have been specifically trained to distrust links that do not match the sender domain. A generic ESP tracking domain on an email claiming to be from your company creates exactly the visual signal recipients have been taught to avoid. Custom tracking domains are not a nice-to-have for B2B; they are a baseline trust signal.
What a Custom Tracking Domain Actually Does
A custom tracking domain replaces the ESP's shared domain with a subdomain you control. Instead of links rewriting to click.espdomain.com, they rewrite to links.yourbrand.com. The CNAME you publish in DNS points links.yourbrand.com to the ESP's tracking infrastructure, so clicks still go through the ESP for tracking, but they appear under your domain to recipients and filters.
This produces four concrete benefits:
- Reputation isolation. Your tracking domain's reputation is built solely from your sending behavior, not pooled with thousands of other senders.
- Brand consistency. Links visibly match the sender, increasing recipient trust and click rates.
- Corporate filter compatibility. Branded tracking domains rarely trigger the aggressive link rewriting that generic ESP domains do.
- Resilience against ESP changes. If you change ESPs, you can repoint the CNAME to the new platform without losing the reputation built up under your tracking domain.
How to Set Up a Custom Tracking Domain
Step 1: Pick a Subdomain
Use a dedicated subdomain, not your root domain. Common conventions:
links.yourbrand.comclick.yourbrand.comtrack.yourbrand.comemail.yourbrand.com(often used as a sending subdomain, can also handle tracking)
Do not use your root domain (yourbrand.com itself) for tracking. The root needs to host your website and cannot accept a CNAME at the apex in most DNS implementations. A dedicated subdomain also isolates tracking reputation from your main web presence, which protects your main site if the tracking subdomain ever ends up on a blocklist.
Step 2: Get the CNAME Target from Your ESP
Each ESP provides a specific target hostname for the CNAME. Common targets:
- SendGrid: account-specific, typically
uXXXXXXX.wlYY.sendgrid.net - Mailgun:
mailgun.orgtargets vary by region - Klaviyo:
trk.klaviyomail.comor similar account-specific value - HubSpot:
hubspotlinks.com - Brevo / Sendinblue: account-specific tracking endpoint
- Mailchimp:
servers.mcsv.netor similar
The exact value will be in your ESP's tracking domain settings, usually under "Sender Authentication," "Tracking Domain," or "Click Tracking." Many platforms generate account-specific CNAMEs, so do not copy a value from another account or generic documentation; use the value your ESP gives you for your specific account.
Step 3: Publish the CNAME in DNS
In your DNS provider (Cloudflare, Route 53, Namecheap, GoDaddy, wherever your domain is managed), create a CNAME record:
Type: CNAME
Name: links
Value: uXXXXXXX.wlYY.sendgrid.net
TTL: 3600 (or your default)
Proxy: OFF (Cloudflare-specific, critical)The Name field is just the subdomain portion (links), not the full hostname. Your DNS provider will append your root domain automatically.
Cloudflare gotcha: If your domain is on Cloudflare, you must set the proxy status to "DNS only" (gray cloud), not "Proxied" (orange cloud). The orange cloud setting routes traffic through Cloudflare's reverse proxy, which breaks the ESP's ability to handle the tracking redirects. This single mistake causes the majority of failed custom tracking domain implementations.
Step 4: Verify in Your ESP
Return to your ESP's tracking domain settings and click "Verify" or "Check Status." The platform will perform a DNS lookup on your subdomain, confirm the CNAME points to the expected target, and provision an SSL certificate (typically via Let's Encrypt or AWS Certificate Manager).
This step often takes 5-15 minutes after DNS propagation. If verification fails, the cause is almost always one of:
- DNS has not propagated yet (wait 30 minutes, try again).
- Cloudflare proxy is enabled (switch to DNS only).
- CAA records on your domain are blocking the ESP's certificate authority (add
letsencrypt.orgor whatever CA your ESP uses to your CAA, or remove CAA records). - A pre-existing A record or CNAME conflict on the subdomain (delete the conflicting record).
Step 5: Enable HTTPS in the ESP
Once verification succeeds, ensure the "Use HTTPS" or "Enable SSL" toggle is on in your ESP's tracking settings. Some platforms enable it automatically after certificate provisioning; others require an explicit toggle. HTTPS-only is critical: HTTP tracking links are flagged as insecure by modern browsers and email clients, and corporate filters often block HTTP links outright.
Step 6: Send a Test Campaign
Send a test email to addresses you control across multiple inbox providers (Gmail, Outlook.com, a corporate domain if you have access). In each delivered message:
- Hover over a link and verify the URL shows your custom tracking domain, not the ESP default.
- Click the link and confirm it redirects successfully to the destination.
- Check your ESP's analytics dashboard and confirm the click was logged.
- View the message source (in Gmail, "Show original") and inspect the rewritten URLs to confirm they consistently use your custom domain.
If any test fails, troubleshoot before going live with production campaigns.
Common Mistakes That Break Custom Tracking
Cloudflare Proxy Left Enabled
Covered above but worth repeating because it is by far the most common failure. The orange cloud must be gray for tracking CNAMEs to work.
CAA Records Blocking SSL
If your domain has a CAA record specifying which certificate authorities can issue certificates for your domain, the ESP's certificate provider must be in that list. A CAA limiting issuance to digicert.com when your ESP uses Let's Encrypt will silently fail certificate provisioning. The fix is to add the ESP's CA to CAA or remove CAA entirely if you do not need it.
Mixed HTTP and HTTPS
If your tracking domain serves HTTPS but your destination URLs are HTTP, browsers may warn about mixed content. Always use HTTPS end-to-end.
Different Tracking Domains for Marketing vs Transactional
If you run marketing campaigns and transactional email through separate ESPs (which is best practice), each needs its own tracking domain on a separate subdomain. Using the same custom tracking subdomain across two ESPs requires conflicting CNAME values and will not work.
Forgetting to Update SPF When Adding the Subdomain as a Sender
The tracking domain itself does not need to be in your SPF record because tracking is HTTP traffic, not SMTP. However, if you also use a related subdomain for sending (like email.yourbrand.com), make sure SPF, DKIM, and DMARC are properly configured for the sending subdomain. Confusing these two roles causes subtle authentication bugs.
If you operate multiple ESPs, use unambiguous subdomain naming: links-marketing.yourbrand.com for your marketing ESP, links-transactional.yourbrand.com for your transactional ESP. This makes troubleshooting trivial when something breaks and lets you change one ESP without touching the other.
Monitoring Your Tracking Domain Reputation
Custom tracking domain reputation builds over time the same way IP and domain reputation do. Once set up, monitor it the same way you monitor other reputation signals:
- Check URL blocklists (blacklist checker tool) periodically for your tracking subdomain. SURBL, URIBL, and Spamhaus DBL are the most consequential URL blocklists.
- Watch for click-rate changes after deliverability incidents. A sudden drop in click rate without a corresponding drop in inbox placement often indicates link-level filtering on your tracking domain.
- Test inbox placement across multiple corporate environments quarterly. Tracking domain issues often appear first at corporate receivers because their gateway filtering is more aggressive about URL inspection.
- If your ESP provides tracking domain health reports (some larger platforms do), review them monthly for warning signs.
Frequently Asked Questions
If you are sending pure B2C marketing to Gmail and Yahoo recipients, the impact of staying on shared tracking is modest. If you are sending to B2B recipients, the impact is significant because corporate filters scrutinize tracking domains aggressively. Even for B2C, a custom tracking domain protects you from future incidents where a spammer on your ESP damages the shared domain reputation overnight.
No. Historical click data stays in your ESP regardless of which tracking domain handles future clicks. The switch only affects new campaigns sent after the change. Old campaigns continue to use the tracking domain they were sent with, so links in already-delivered emails continue to work.
No, because tracking is HTTP traffic, not SMTP. The tracking domain is only used by recipient browsers when they click links, not by mail servers when handling the message itself. SPF, DKIM, and DMARC apply to the sending domain in the From header and the envelope sender, neither of which is affected by your tracking domain choice.
DNS CNAME propagation typically completes within 15-60 minutes but can take up to 24-48 hours in rare cases depending on caching at recursive resolvers. SSL certificate provisioning at the ESP usually adds another 5-15 minutes after DNS propagates. If verification fails immediately after setup, wait an hour and try again before assuming the configuration is wrong.
No. A CNAME can only point to a single target hostname, so the same subdomain cannot route to two different ESPs simultaneously. Use a different subdomain for each ESP (for example, links-mc.yourbrand.com for your marketing ESP and links-tx.yourbrand.com for your transactional ESP). This also has the side benefit of letting you switch one ESP without affecting the other.