Using a Reverse Proxy for HTTPS Tracking Domain

November 19, 2019 Contributors


SparkPost supports secure tracking domains through the use of content delivery networks (CDNs), reverse proxies, or any method where the customer can host the necessary SSL/TLS certificates. It is recommended that our customers use SSL as it provides secure transport for engagement data while being necessary to support SparkPost engagement tracking with Google’s AMP for Email. The following support article outlines the use of a CDN with SparkPost, but in this post will demonstrate how to configure a SparkPost tracking domain, provision an SSL certificate, and be able to use it immediately at SparkPost using a simple reverse proxy.


There are a few prerequisites for this post. First, that you have a Linux server that is external to the internet and is configured as the endpoint for your tracking domain in DNS if you want to automate certificate creation using Let’s Encrypt. This would need to be done before actively using your domain at SparkPost as changing the DNS while already in use could break your current engagement tracking. If you already have certificates, you can wait and switch DNS at the end once all the work is completed to prevent any interruption in service. This example uses a t2.micro Ubuntu instance on Amazon Web Services and a tracking domain of that is CNAME’d to the instances public IPv4 DNS.

Also, it is expected that you have root access on this server for installing software, etc., and that you are using a modern Linux OS with a package manager (I’ll be demoing on Ubuntu 16.04).


This article uses nginx. It is easy to get installed and configured as a reverse proxy and Let’s Encrypt for SSL certificates has support it out of the box. To install nginx, follow the guidelines for your Linux distribution.


You may have to perform an apt-get update prior to installing.

On a Debian distribution, the previous command will install nginx with a sample configuration, located at /etc/nginx/. To enable a reverse proxy back to SparkPost for your tracking domain, see the sample configuration file below (sample tracking domain is

Creating this file in /etc/nginx/conf.d and executing a nginx reload will make the configuration live

At this point, if all your DNS is configured to this nginx server, you should be able to verify the tracking domain in SparkPost. Add your desired tracking domain to your SparkPost account, either through the user interface or API. Once verified, you can associate the tracking domain with a sending domain and manually test the tracking links with cURL commands. The following example is a simple cURL command to send an email through SparkPost with engagement tracking enabled:

Once the email is successfully delivered, you should be able to click the link and be successfully redirected to If any type of issues arises, one method debug is to right click on the tracking link in the email and “Copy Link Address” for use in a cURL command. This method can show additional information about the http session.

The last step is to get the necessary SSL certificates in place so that you can enable HTTPS on your configured tracking domain. As mentioned before, Let’s Encrypt can be use to provision free SSL certificates. These steps are very well outlined by nginx in this article Following these steps, you should be able to get free SSL certificates installed on your nginx server for the desired tracking defined in the server.conf. One note is that after the certificate are created, you will be asked if you wish to redirect http to https. It is recommended that you do not redirect, as you may wish to change your tracking domain back to http in the future if it becomes necessary.

Once completed, you can set your tracking domain to “secure” using the tracking domains API. This will make any new emails using your associated tracking domains to leverage https versus the http protocol. Wait a few minutes for propagation, usually around 5 minutes, and send another test email again. You should see that your link is now starting with https instead of http. Again, you should be able to click the link and be redirected to SparkPost. You could also do the cURL approach mentioned above and see your certificate authenticated.

  • Now that you have https tracking domains, you are ready to begin using SparkPost engagement tracking with your AMP emails.
  • You can use a CDN with SparkPost tracking domains as an alternative to a revert proxy.
  • Set up engagmenet tracking with the SMTP API for your SMTP traffic to SparkPost.