Summary
Enabling HSTS without proper planning and communication, especially with marketing teams, can lead to various problems. A central issue is that HSTS enforces HTTPS connections, and if existing HTTP links in emails, websites, and marketing materials aren't updated to HTTPS, users experience broken links and a degraded experience. This impacts SEO, reduces traffic, conversions, and breaks client campaigns if ESPs are incompatible. SSL mismatch errors can occur if ESPs don't fully support SSL on their click-tracking endpoints. The lack of coordination between IT and marketing results in reactive problem-solving rather than proactive planning. Ensuring a fully functional HTTPS setup and aligning all systems to support HTTPS is essential for a smooth transition.
Key findings
- Broken Links & User Experience: Failure to update HTTP links to HTTPS results in broken links, frustrating users, and damaging their experience.
- SEO and Engagement Impact: Broken links negatively affect SEO rankings, reduce engagement, click-through rates, and conversions.
- ESP Compatibility Issues: Some older ESPs may not fully support HTTPS or SSL on click-tracking endpoints, causing compatibility issues and SSL mismatch errors.
- Communication Breakdown: A lack of communication and coordination between IT and marketing teams leads to reactive problem-solving and disruptions.
- Security Risks & Downgrade Attacks: Without HTTPS enforcement, systems are vulnerable to downgrade attacks, which are largely prevented by HSTS when properly set up.
Key considerations
- IT & Marketing Alignment: Establish clear communication and collaboration between IT and marketing teams for coordinated changes and understood impacts.
- Comprehensive HTTPS Audit & Update: Conduct a thorough audit of all existing links and resources, updating any using HTTP to HTTPS.
- ESP Assessment & Upgrade: Assess your ESP's HTTPS and SSL capabilities; ensure they fully support HTTPS to avoid compatibility and SSL mismatch errors.
- Testing and Validation: Thoroughly test all email campaigns, website pages, and marketing materials after enabling HSTS to ensure proper function.
- Phased Rollout & Monitoring: Consider a phased rollout of HSTS to monitor performance and address any issues before full implementation.
- Fully Functional HTTPS Setup: Ensure a fully functional HTTPS setup across the entire domain before enabling HSTS to prevent initial breakages.
What email marketers say
9 marketer opinions
Enabling HSTS (HTTP Strict Transport Security) without proper planning and communication, particularly with marketing teams, can lead to significant problems. HSTS enforces HTTPS connections, and if existing HTTP links in emails, websites, and other marketing materials aren't updated to HTTPS, users will encounter broken links and a degraded experience. This can negatively impact SEO, reduce traffic and conversions, and break client campaigns if ESPs are not compatible. Coordination between IT and marketing is essential to ensure a smooth transition and avoid disruptions.
Key opinions
- Broken Links: Failure to update HTTP links to HTTPS results in broken links, frustrating users and damaging the user experience.
- SEO Impact: Broken links negatively affect SEO rankings, as search engines penalize sites with poor user experiences.
- Reduced Engagement: Broken links and errors lead to reduced engagement, click-through rates, and conversions from marketing campaigns.
- ESP Compatibility: Some older ESPs may not fully support HTTPS, causing compatibility issues and campaign failures when HSTS is enabled.
- Lack of Awareness: Often marketing teams are not informed or consulted before HSTS is enabled, leading to reactive problem-solving rather than proactive planning.
Key considerations
- IT & Marketing Alignment: Establish clear communication and collaboration between IT and marketing teams to ensure changes are coordinated and potential impacts are understood.
- HTTPS Audit: Conduct a thorough audit of all existing links and resources to identify any that are still using HTTP and update them to HTTPS.
- ESP Assessment: Assess your ESP's HTTPS capabilities and ensure they fully support HTTPS to avoid compatibility issues.
- Testing: Thoroughly test all email campaigns, website pages, and other marketing materials after enabling HSTS to ensure everything functions correctly.
- Phased Rollout: Consider a phased rollout of HSTS to monitor performance and address any issues before fully implementing it across your entire domain.
- Client Communication: Communicate changes to clients to allow for client side coordination so they are prepared for any potential compatibility issues.
Marketer view
Email marketer from Cloudflare explains enabling HSTS without ensuring that all links and resources resolve over HTTPS can negatively impact SEO. Broken links lead to a poor user experience and may harm search engine rankings. Marketing must be involved to ensure a smooth transition.
2 May 2022 - Cloudflare
Marketer view
Email marketer from Stack Overflow responds that if a website enables HSTS and does not update all internal links to HTTPS, the website will break. The marketing team may see an immediate reduction in traffic and conversions.
13 Oct 2022 - Stack Overflow
What the experts say
3 expert opinions
Enabling HSTS without thorough preparation can lead to broken links and SSL mismatch errors, negatively impacting the user experience. A core issue arises when HSTS is activated without first ensuring all assets, especially those in older email campaigns, are served over HTTPS. Furthermore, if an ESP's click-tracking endpoints don't universally support SSL, users may encounter SSL mismatch errors upon clicking email links. Therefore, it's crucial to verify that all systems are HTTPS-compatible and that HSTS is implemented carefully to avoid these disruptions.
Key opinions
- Broken Links: Enabling HSTS without updating all assets to HTTPS can break links, particularly in older email campaigns.
- SSL Mismatch Errors: If an ESP's click tracking endpoints don't fully support SSL, HSTS can lead to SSL mismatch errors, creating a poor user experience.
- Lack of Preparation: Turning HSTS on without ensuring it doesn't break anything is a common problem.
Key considerations
- HTTPS Compatibility: Ensure that all assets and links, especially those in older campaigns, are served over HTTPS.
- ESP Support for SSL: Verify that your ESP fully supports SSL for click tracking endpoints to prevent SSL mismatch errors.
- Thorough Testing: Thoroughly test all links and assets after enabling HSTS to ensure they function correctly.
Expert view
Expert from Email Geeks explains that if an ESP's click tracking endpoints support SSL but don't have it enabled for all customers, enabling HSTS for a domain can result in users encountering SSL mismatch errors when clicking email links, leading to a poor user experience. Some ESPs need to upgrade their systems to ensure HTTPS support is standard for all customers.
21 Nov 2022 - Email Geeks
Expert view
Expert from Email Geeks explains the problem is people turning HSTS on without ensuring it doesn't break anything.
6 May 2025 - Email Geeks
What the documentation says
4 technical articles
Enabling HSTS without proper planning results in accessibility and configuration errors, primarily due to broken links. HSTS enforces HTTPS connections, automatically upgrading HTTP requests to HTTPS. If existing HTTP links in emails and websites aren't updated, users will encounter failed connections and errors, leading to broken user journeys. A fully functional HTTPS setup is a prerequisite, and coordination across teams, particularly with marketing, is essential to ensure all internal and third-party links are updated before HSTS deployment. Incorrect configuration or premature deployment without these considerations leads to accessibility issues.
Key findings
- Broken User Journeys: Existing HTTP links in emails fail, leading to broken user journeys when HSTS is enabled without proper planning.
- Accessibility Issues: Incorrect configuration or premature deployment of HSTS can lead to accessibility problems.
- HTTPS Prerequisite: A fully functional HTTPS setup is required before enabling HSTS.
- Configuration Errors: The introduction of HSTS, can cause configuration errors if there are broken links.
Key considerations
- Update All Links: Ensure all internal and third-party links are updated to HTTPS before HSTS deployment.
- Team Coordination: Coordinate with all teams, especially marketing, to ensure a smooth transition.
- Validate HTTPS Setup: Verify that you have a fully functional HTTPS setup before enabling HSTS to prevent breakages.
Technical article
Documentation from Mozilla Developer Network explains that HSTS instructs browsers to only connect to a website over HTTPS. If a user types `http://example.com`, the browser automatically upgrades the connection to `https://example.com`. Without proper planning, existing `http://` links in emails will fail, leading to broken user journeys.
9 Apr 2022 - Mozilla Developer Network
Technical article
Documentation from OWASP explains that while HSTS improves security, incorrect configuration or premature deployment can lead to accessibility issues. If internal or third-party links are not updated to HTTPS, users will encounter errors. Coordination with all teams, including marketing, is vital.
14 May 2024 - OWASP
Does domain/IP reputation affect BIMI logo display with VMC?
How can I improve email deliverability and open rates for a client with a bad domain reputation, especially with Gmail, and what strategies should I use for unengaged users?
How can I improve my domain health and avoid the Google domain dog house?
How can I prevent my sales team's email practices from negatively impacting my domain reputation?
How do DMARC, spam complaints, and IP reputation affect email deliverability and rejections?
How do subdomain deliverability issues affect parent domains, and what are the primary causes of email deliverability problems?
