What problems can occur when enabling HSTS without proper planning and communication with marketing teams?

Key findings

• Communication gap: Many IT and security teams enable HSTS without informing marketing departments, leading to unexpected problems.
• Broken links: Email tracking and embedded content links, often configured as HTTP, cease to function correctly when HSTS forces HTTPS-only connections for the domain.
• User experience degradation: Recipients encounter broken links or security warnings, which can erode trust and negatively impact brand perception.
• ESP compatibility: Some email service providers (ESPs) may not default to HTTPS for all tracking or link branding, or may even charge a premium for it, complicating HSTS adoption.
• Mixed content issues: HSTS exacerbates mixed content warnings by strictly enforcing HTTPS, causing problems if any email assets remain HTTP.

Key considerations

• Cross-functional collaboration: Establish clear communication channels between IT, security, and marketing teams before any major web security changes like HSTS are implemented.
• Pre-implementation audit: Conduct a thorough review of all email links, images, and embedded content to ensure they are HTTPS compliant prior to enabling HSTS. For more on the technical side, consider reviewing what is HSTS.
• ESP configuration: Verify that your email service provider supports and defaults to HTTPS for all tracking links and custom domains, updating settings as necessary.
• Proactive updates: Update all email templates and link structures to use HTTPS to prevent broken links post-HSTS activation. This is also important for why HTTPS is important for email marketing.
• Lessons from DMARC: Recognize that HSTS implementation issues parallel challenges faced with DMARC implementation, emphasizing the need for thorough testing and coordination.

Key opinions

• Unforeseen impact: Marketers frequently express surprise and frustration when security updates like HSTS are rolled out without their knowledge, causing immediate campaign disruption.
• Client blame: Agencies and marketing teams often find themselves blamed for broken links, even when the root cause is an uncommunicated IT security change.
• Incomplete HTTPS adoption: Many marketers note that HTTPS is still not universally enabled across all marketing assets or by all ESPs, leading to vulnerabilities when HSTS is activated.
• Cost barriers: Some marketers report that certain ESPs may still charge additional fees for HTTPS link tracking, which can deter adoption.
• Security warnings: Mismatched protocols between HSTS-enforced domains and HTTP email links can trigger browser security warnings, deterring user engagement.

Key considerations

• Advocate for full HTTPS: Marketing teams should push for complete HTTPS adoption across all web and email assets to prevent mixed content issues. This includes addressing non-HTTPS engagement tracking.
• Verify ESP capabilities: Ensure your ESP supports and automatically implements HTTPS for all links, especially tracking and branded domains.
• Internal communication protocols: Work with IT and security to establish protocols for notifying marketing of any changes to domain security that could impact email links.
• Proactive testing: Implement testing procedures for email links after any website or security updates, similar to how one might address Chrome blocking mixed content.
• Educate stakeholders: Educate IT and security teams on the direct impact of HSTS on email deliverability and marketing effectiveness. More information can be found on fixing mixed content warnings.

Key opinions

• Implementation, not HSTS, is the problem: HSTS is a robust security feature, but unintended consequences arise from enabling it without thorough preparation and cross-functional coordination.
• DMARC parallels: The issues with HSTS implementation mirror past challenges with DMARC, where security initiatives inadvertently caused email deliverability breakdowns.
• ESPs lagging: Some ESPs are perceived as behind the curve in universally adopting HTTPS for all click-tracking and branded links, contributing to the problem.
• SSL mismatch errors: When HTTP links are served from an HSTS-enabled domain, users encounter critical SSL mismatch errors, creating a highly negative and alarming experience.
• Undisclosed changes: Security teams often implement HSTS without informing marketing, directly leading to broken links and client complaints.

Key considerations

• Holistic planning: Ensure all web properties, including email links and tracking domains, are HTTPS compliant before deploying HSTS. For more about HSTS, consider what HSTS is used for.
• Vendor responsibility: ESPs must step up to universally support HTTPS for all clients and email functionalities, eliminating the need for manual configurations or premium charges.
• Comprehensive testing: Thoroughly test email links and their redirection behavior after any HSTS or SSL certificate changes to prevent broken experiences.
• Inter-departmental synergy: Foster better collaboration between IT/security and marketing to proactively address potential deliverability impacts of security measures. Similar issues can arise during new IP and subdomain warmup.
• Proactive problem solving: Address potential issues like DMARC implementation with the same level of caution and communication.

Key findings

• Mandatory HTTPS enforcement: HSTS is a security mechanism that compels web browsers to interact with a site exclusively over HTTPS, preventing insecure connections.
• Protection against attacks: Proper HSTS implementation safeguards against downgrade attacks, SSL-stripping, and man-in-the-middle attacks.
• Mixed content warnings: These warnings occur when a secure HTTPS page attempts to load insecure HTTP content, leading to a degraded user experience and potential security risks.
• Risk of non-HSTS: Without HSTS, applications remain vulnerable to various exploits, including cookie-hijacking attacks, compromising user data.

Key considerations

• Full HTTPS migration: All website content, including external scripts, images, and embedded resources, must be served over HTTPS before HSTS implementation. Learn more about the lack of HSTS vulnerabilities.
• Subdomain consideration: When enabling HSTS, decide whether to include subdomains (using the includeSubDomains directive), ensuring all are HTTPS compliant to avoid issues like broken links impacting Gmail deliverability.
• Preload list implications: Submitting a domain to the HSTS preload list makes the policy permanent for major browsers, making rollback extremely difficult if issues arise.
• Continuous monitoring: Regularly monitor for mixed content warnings and ensure all link protocols align with HSTS policies.