Skip to main content
All CollectionsAdministration TrackOutreach Settings
Improving Deliverability with a Custom Tracking Domain
Improving Deliverability with a Custom Tracking Domain
Paul May avatar
Written by Paul May
Updated over a week ago

You can set up a custom tracking domain in BuzzStream so that you can use your own domain when tracking email opens and clicks. This offers a number of advantages over using the standard BuzzStream tracking domain, primarily by giving you more control over email deliverability and reputation management.

How to set up custom domain tracking

Setting up a custom tracking domain is fairly straightforward. To begin, just go to your BuzzStream settings:


From there, click “Tracking Options” on the left hand menu. Note that this section is only available to the admin of your BuzzStream account. If you don't see the that tab in your settings, contact your BuzzStream admin so they can continue with setup.


Now, just click “Add Domain” and follow the instructions in the new window.


One important thing to note: in order to create a custom tracking domain, you need to create a subdomain for your site (e.g. “”). Then, you’ll need to create a CNAME DNS record pointing to This may require you to get in contact with your domain manager if you don’t have these permissions.

Once you’ve created your sub-domain, add the tracking domain to the field at the top of the window, then hit Validate. BuzzStream will list the tracking domain below, as well as whether it’s valid or not and which emails are associated with that domain.

DNS changes may take a while to propagate. Please allow up to 48 hours for the change to take effect (though usually it will be much faster). We will automatically start using the domain once we see the changes, even if it doesn't pass validation when initially added.

Custom domain tracking behavior

Once you've set up your custom domain, we will use it to track your opens and clicks as well as use it in any unsubscribe fields you've set up.

We will regularly validate your sub-domain, so if it disappears for any reason we will revert back to our standard BuzzStream tracking domain for future emails. However, emails that have already been sent using the custom domain will not register future events once the DNS is removed.

Configuring your custom domain with SSL (optional)

After you've set up your custom tracking domain, it will be hosted on your domain, but on HTTP rather than HTTPS. No personal information is transmitted, and our tracking links do not impact the encryption (or lack thereof) of a link's target page.

However, it's becoming increasingly common to require all traffic to be encrypted over HTTPS, and it's possible that your organization enforces this through something called HTTP Strict Transport Security (HSTS). If this is the case, then the browser will automatically convert HTTP links to your tracking sub-domain to HTTPS links. When recipients click on tracked links, they will get a message saying that the page they are being directed to is unsafe. Setting up SSL for your custom domain will prevent this from happening, but is a bit more complicated and will require some additional work.

This is what the message looks like in Chrome:

Note: If you created a CNAME record that points to, you may need to delete this in order to support HTTPS links properly. Its replacement will depend on the setup chosen below.

There are two ways to set up SSL for your custom domain:

  • Use a flexible SSL (using a third party DNS provider like AWS CloudFront or CloudFlare)

  • Use your own SSL certificate (using a TLS Termination Proxy)

How to configure SSL with your DNS provider

Some DNS providers, like Cloudflare, support SSL certificates directly. There are many different providers, and each is configured differently. Please refer to your specific providers' documentation for instructions on how to protect the sub-domain.

How to configure SSL with AWS CloudFront

If your organization uses AWS, it's possible to use their CloudFront product to protect your sub-domain.

Go to the CloudFront section of the Management Console and select the 'Create Distribution' button. This will take you to the 'Create Distribution' page. You'll begin by entering the 'Origin Settings'.

  1. In the 'Origin Domain' field, enter This will populate the 'Name' field with the same URL.

  2. Make sure that the 'Origin Protocol Policy' is set to HTTP Only and the port is set to 80.

Next, you'll configure the cache settings.

  1. Set 'Viewer protocol policy to 'Redirect HTTP to HTTPS'.

  2. Set 'Allowed HTTP methods' to 'GET, HEAD, OPTIONS' and leave the "OPTIONS" checkbox unselected.

  3. Set 'Cache key and origin requests', to 'legacy cache settings'. For the sub-options under this, select the following:

    1. Headers: None

    2. Query Strings: All

    3. Cookies: None

    4. Object caching: 'Use origin cache headers

In the 'Web Application Firewall' section, select either 'enable security protections' (uses AWS' Web Application Firewall' to block vulnerabilities) or 'Do not enable security protections.

Finally, you'll configure the Distribution Settings (in the section labeled 'Settings'.

  1. In the 'Alternate Domain Names' field, enter your custom tracking domain

  2. Choose an SSL certificate, either provided by AWS (suggested) or by uploading your own.

  3. Under 'Custom SSL certificate', either select one of the certificates provided by AWS (suggested) or by uploading your own.

  4. Click 'Create Distribution' to finish.

At this point it will take some time for AWS to finish creating and deploying the Distribution. Once that is done, update your DNS to include a CNAME record pointing your custom tracking sub-domain to the Distribution's Domain Name (you do this in place of adding the CNAME pointing directly to our tracking domain).

How to configure your own SSL certificate (using a TLS Termination Proxy)

The SSL certificate used by your custom tracking domain is a shared certificate signed by your DNS provider. It uses SNI (Server Name Indication) to secure your site.

If you wish to host your own security certificates, you can do so through a TLS termination proxy. You’ll need to edit the configuration file on your proxy webserver. Once the proxy server is configured, add/update the DNS record for your tracking sub-domain to point to your proxy.

Here are the basic instructions to set up your own SSL using Apache and Nginx webservers:


# Prerequisites: mod_ssl, mod_proxy and mod_proxy_http should be enabled

# Step 1: Acquire an SSL certificate and private key (e.g.

# Step 2: Set up Apache proxy settings, example below.
# Step 3: Set custom tracking domain in BuzzStream's settings
# Step 4: Make sure your custom domain's DNS record resolves to your Apache server

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName # specify your custom domain here

# Set SSL options for your own domain
SSLEngine on
SSLCertificateFile /path/to/your/fullchain.pem
SSLCertificateKeyFile /path/to/your/privatekey.pem

# Proxy SSL options
SSLProxyEngine on
SSLProxyVerifyDepth 10
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

# Set up the reverse proxy to BuzzStream
ProxyPreserveHost On
ProxyPass /
ProxyPassReverse /


# Prerequisites: ngx_http_ssl_module and ngx_http_proxy_module should be enabled

# Step 1: Acquire an SSL certificate and private key (e.g.

# Step 2: Set up Nginx proxy settings, example below.
# Step 3: Set custom tracking domain in BuzzStream's settings
# Step 4: Make sure your custom domain's DNS record resolves to your Nginx server

resolver; # use own DNS server if you have one

server {
listen 443 ssl;

server_name; # replace this with your domain

ssl_certificate /path/to/your/fullchain.pem;
ssl_certificate_key /path/to/your/privatekey.pem;

location / {
# using "set" is important as IP addresses of BuzzStream servers
# changes dynamically. "set" enables nginx to follow dynamic IPs
set $buzzstream "";
proxy_set_header Host $host;
proxy_pass $buzzstream;

Deliverability best practices

If you’re interested in learning more about email deliverability in general, check out these resources:

SendGrid’s Email Deliverability Guide
MailChimp’s How to Avoid Spam Filters
Our best practices around sending emails in bulk

In addition to reading up on deliverability best practices, you can also use services like Litmus to keep track of your spam score across different services.

Did this answer your question?