SOLVED

Branded Domain Broke All Email Links

Go to solution
Highlighted
Anonymous
Not applicable

Branded Domain Broke All Email Links

Hey All,

We recently set up a branded domain as per the instructions from Marketo's product docs. http://docs.marketo.com/display/public/DOCS/Configure+Protocols+for+Marketo

IT set-up the new CNAME in the DNS record and pointed our new CNAME marketo.armor.com to our tracking link mkto-sjl0027.com

After we changed our Branding Domain in the admin panel to marketo.armor.com all of our email links broke. We simply get a site can't be reached error on any email links.

I know that a DNS update can take 72 hours in some cases but we've checked and it's propagated fully by now.

Any thoughts or help would be greatly appreciated as we are trying to get this resolved as fast as possible.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Level 10 - Community Moderator

Re: Branded Domain Broke All Email Links

Eh no. You have to open a support case and provide your SSL cert to Marketo, then they install the cert. For a fresh SSL install, this can actually take them some time (like weeks) but I'm assuming you already have SSL on your Marketo LP domain, so it should be fast/faster.

View solution in original post

14 REPLIES 14
Highlighted
Level 10 - Community Moderator

Re: Branded Domain Broke All Email Links

I know that a DNS update can take 72 hours in some cases but we've checked and it's propagated fully by now.

Actually adding a new CNAME RR to an existing zone is instantaneous. There's no propagation delay.

I do see that marketo.armor.com is pointed to mkto-sjl0027.com.  When you say you're getting a "site can't be reached" (not "the redirect URL is empty") I wonder if this is because you have an internal DNS server that has its own copy of the armor.com zone, and that internal side hasn't been updated by IT. Have you tested from outside your corporate network (including VPN clients)?

Highlighted
Anonymous
Not applicable

Re: Branded Domain Broke All Email Links

Hi Sanford!

Thanks for the reply. Good to know on the propagation timing.

I have tested it inside and outside our networkand I get the same result. I've attached a screen shot of what happens when you click a link in one of our Marketo emails.

It's the same for all email links with tracking enabled.

CNAME redirect not working.png

I also ran a DNS check and it shows to be working and updated as intended.

DNS Check.png

"I wonder if this is because you have an internal DNS server that has its own copy of the armor.com zone, and that internal side hasn't been updated by IT."

I'll raise this question with our IT support. I'm stumped as to what the issue could be.

Any additional feedback or ideas are greatly appreciated!

Highlighted
Level 10 - Community Moderator

Re: Branded Domain Broke All Email Links

It's SSL, not DNS, that's the direct problem.

You don't have SSL enabled on your branding domain, but your links are being rewritten to http​s://.

Highlighted
Anonymous
Not applicable

Re: Branded Domain Broke All Email Links

Ah! Good to know Sanford. A good catch.

Forgive my lack of knowledge here but, do I just need to have our IT team install a SSL certificate on the domain marketo.armor.com ?

Highlighted
Level 10 - Community Moderator

Re: Branded Domain Broke All Email Links

Eh no. You have to open a support case and provide your SSL cert to Marketo, then they install the cert. For a fresh SSL install, this can actually take them some time (like weeks) but I'm assuming you already have SSL on your Marketo LP domain, so it should be fast/faster.

View solution in original post

Highlighted
Anonymous
Not applicable

Re: Branded Domain Broke All Email Links

Hey Sanford!

I really appreciate your feedback on this. This has really been a challenge and your feedback pointed me in the right direction.

After working with Marketo support, I was told the following...

"The problem is "https". Our tracking server only accepts http but not https. And their own domain would only use https.

They need allow http for their brand domain.

Your IT team will need to allow http for the branding domain." - Marketo support

After some digging, I learned that HSTS set on the top level domain also can be applied to subdomains through using static_sts_include_subdomains: true in the header.

This forces all subdomains to use HTTPS which according to Marketo, is not compatible with their tracking server.

We are working on a plan to remove static_sts_include_subdomains: true from the top level domain and set HSTS individually for domains in the hopes that this resolves the issue.

Marketo's engineering team is also working with us to resolve the issue.

Here's some supporting docs which lead us to the issue.

Why is HTTP being Changed to HTTPS?

nginx - HSTS exclude specific subdomain with "includeSubdomains" - Server Fault

Chrome: how to stop redirect from http:// to https:// - Super User

ssl - Ignore HSTS in browser for a subdomain - Server Fault

Check your Domains HSTS Settings Here

chrome://net-internals/#hsts

Screen Shot 2017-08-02 at 3.21.22 PM.png

What Google is up to with HTTP

Chrome is helping kill HTTP | TechCrunch

I'll update this post with a final report once we have a resolution and a fix incase anyone else experiences this issue.

Highlighted
Level 10 - Community Moderator

Re: Branded Domain Broke All Email Links

Support's statement is only accurate because they don't have your SSL cert.

Branding domains absolutely support SSL, and yes, the way you force SSL is via HSTS. (The branding domain server will not force the redirect itself.)

Highlighted
Anonymous
Not applicable

Re: Branded Domain Broke All Email Links

Interesting!

That's a much easier fix then the answer I got from support. I have to say that the way support worded it in the reply, it sounded as though HTTPS wasn't supported at all for branded domains. Thank you for clarifying Sanford.

I'll reach back out to support and get them working on adding our SSL certificate which we do have on our LP domain.

My IT Security team will be glad to hear that's the fix instead of allowing HTTP.

Thank you again!

Highlighted
Level 10 - Community Moderator

Re: Branded Domain Broke All Email Links

Yes, what a frustratingly wrong response to what isn't a particularly obscure question.