Overview & FAQ: Secured Domains for Tracking Links


Note: This document applies to the Marketo Secured Domains for Tracking Links product only.


Every link you include in your Marketo emails will have tracking code automatically appended when sent. For those in highly regulated industries, your company may require that you securely encrypt the Marketo tracking links. Remember that Marketo takes the URLs you place inside of emails and shortens them using the "Branded Tracking Link" domain (this is another CNAME you set up in Marketo under Admin--> Email). These tracking links are how Marketo enables you to track engagement with your emails.


Setting Up Secured Domains for Tracking Links instructions - Setting Up Secured Domains for Tracking Links


Do I need to secure my Tracking Links?

If your company (likely IT) has implemented HSTS, you WILL need to secure your tracking links for your recipients' email->web page redirect to function correctly. Additional information on HSTS, including how to check if it's been implemented on your domain can be found here: SSL: The HSTS Policy and Your Marketo Subdomains.


HSTS is a web server directive companies may choose to enforce which forces all subsequent requests for resources on that domain to be loaded through HTTPS. This is most common for those in highly regulated industries, such as financial and healthcare institutions. Please note, enforcing HSTS does not also convert Marketo tracking links in emails to HTTPS - that must be done via Marketo Support.


Other Helpful FAQs

What is Marketo Secured Domains for Tracking Links?

This secures the tracking link domains (which is what makes the URLs appear as HTTPS instead of HTTP) by providing the SSL certificate for each unique domain. Please note tracking links are NOT the same as your SPF/DKIM domain, which is the domain from which your emails are sent., whereas this is the domain located within your emails that tracks click-throughs.


How many domains can I secure with the Secured Domains for Tracking Links?

Technically, there is no limit to the number of tracking link domains a customer may have. The base Secured Domains offering included on all subscriptions covers the cost to secure your first tracking link domain; however, if you need more, you may simply add additional domains to your contract a la carte, so you only pay for what you need (in contrast to the previous bundled offering). Contact your Marketo Customer Success Manager for more information.


How is the Secured Domains for Tracking Links product different than the Secured Page Services, SSL for Tracking Links service?

Unlike the legacy SSL-only service, Secured Domains not only generates and auto-renews all certificates needed for securing your domains, but provides an exponential layer to what 'secured' entails - it's not just an SSL certificate anymore. For a full explanation of Marketo's Secured Domains offering, and how it differs from just the SSL certificate, please see this Nation Post or check out this Marketo Blog Post about cyber-security and marketing.


What setup/configuration is required before securing my Marketo Tracking Links?

You must configure (brand) your CNAMES for Email Tracking links. More information here: Brand Your Tracking Links


Can I secure my tracking links without securing my Marketo landing pages?

Technically? Sure. But while secured tracking links have yet to be enforced by email clients, secured landing pages have been enforced by browsers since 2018, which is why we include both in our base bundle. The general public is far more likely to not stick around or enter personal data on an unsecured landing page than they are to not click an unsecured tracking link.


Do I need to provide a TLS/SSL Certificate?

No. Secured Domains moves 100% of the SSL ownership to Marketo - all aspects of procuring, managing and renewing certificates is done automatically without human interaction. In fact, we only allow customer-provided certificates on an exception-only basis, OR if you require an Extended Validation (EV) type certificate.


What Certificate Authority issues the certificate(s) for the Marketo’s Secured Domains for Landing Pages product?

The certificates are authored by DigiCert.


What type of certificate is provided?

We produce a pack of two certificates; The primary certificate uses a P-256 key, is SHA-2/ECDSA signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit key, is SHA-2/RSA signed, and will be presented to browsers that do not support ECC.


Will my domains be on a shared SSL certificate with other companies?

As part of our Secured Domains products, each of your fully qualified domain names will get its own certificate. That means you will not be on a shared certificate with other companies.


Can I provide my own SSL certificate(s) to secure my domains?

Not unless it's an Extended Validation (EV) type certificate. Marketo can only automatically renew the certificates we generate to secure your domains.


Are security headers applied to my tracking link domain?

Security headers are applied to tracked links in emails that are sent to your leads. The tracking link domain itself (e.g. https://click.example.com) will not return all security headers. The subdomain itself does not host content and is not intended to be browsed. Marketo Support will not respond to security scans performed on the tracking link domain itself.