What problems can occur when enabling HSTS without proper planning and communication with marketing teams?
Matthew Whittaker
Co-founder & CTO, Suped
Published 30 Jul 2025
Updated 16 Aug 2025
7 min read
HTTP Strict Transport Security, commonly known as HSTS, is a security mechanism that helps protect websites from certain types of attacks, particularly those that involve downgrading HTTPS connections to less secure HTTP. It essentially tells browsers to always connect to a website using HTTPS, even if a user types HTTP or clicks on an HTTP link. While HSTS is a vital component of modern web security, enabling it without thorough preparation and inter-departmental communication, especially with marketing teams, can lead to significant problems.
I've recently observed a pattern where clients are encountering broken links in their email campaigns after their IT departments implement HSTS without informing the marketing team. This oversight results in a cascade of issues, from broken user experiences to a direct impact on email deliverability and sender reputation. It highlights a critical need for alignment between technical security implementations and marketing operations.
The basics of HSTS and why it matters
At its core, HSTS is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It forces web browsers to interact with a site only over secure HTTPS connections. When a browser receives an HSTS header from a server, it remembers that the site should only be accessed securely for a specified period, preventing it from ever attempting to connect via HTTP, even if a user explicitly tries to do so. You can learn more about its purpose on Acunetix's blog.
The primary benefit of HSTS is enhanced security. It significantly reduces the risk of man-in-the-middle attacks where an attacker might try to intercept or tamper with unencrypted HTTP traffic. By enforcing HTTPS, HSTS ensures that all communication between the browser and the server is encrypted, protecting sensitive user data and maintaining the integrity of the website's content. This is a crucial step in building a more secure web environment.
However, the 'strict' nature of HSTS is also its double-edged sword. Once a browser receives an HSTS policy, it will strictly adhere to it for the specified duration. This means that if any part of your website, or critically, any external service linked by your website, is still serving content over HTTP, it will immediately break. This often includes email marketing links that haven't been properly configured for HTTPS.
The disconnect: IT vs. Marketing
The most common problem I've encountered is a fundamental lack of communication between IT security teams and marketing departments. IT teams, focused on overall web security, often implement HSTS without fully understanding its pervasive impact on marketing assets like email tracking links and embedded images. These links, if not already configured for HTTPS, will instantly break once HSTS is enforced on the domain.
Marketing teams rely heavily on tracking links to measure campaign performance, from email opens to clicks and conversions. If these links, often managed by Email Service Providers (ESPs), are still generated with HTTP protocols after HSTS is enabled, users clicking them will be met with security warnings or completely broken pages. This directly impacts data accuracy and can lead to a significant loss of valuable insights. This is a common pitfall that also relates to the deliverability impact of non-HTTPS engagement tracking in general.
This leads to frustrating user experiences, where recipients see intimidating browser warnings or simply cannot access the content they were promised. Such issues degrade brand trust and can cause recipients to mark emails as spam, negatively impacting your email deliverability and sender reputation over time.
The communication gap
Implementing HSTS requires a holistic view of all digital assets, including those managed by third-party platforms like ESPs. Without a clear line of communication, IT might secure the main website, but inadvertently break the entire email marketing funnel. This kind of disconnect can be detrimental to ongoing campaigns and long-term marketing strategies. It’s a common issue we see when consequences of using non-HTTPS links in emails aren't fully understood.
Specific problems for email marketing
When HSTS is enforced on your domain, any existing HTTP links within your emails become unusable for recipients who have previously visited your site and had the HSTS policy cached. Their browser will attempt to upgrade the HTTP link to HTTPS, but if the linked resource (e.g., an email tracking domain, image, or landing page) does not support HTTPS, the link will fail. This creates a broken user experience and can lead to a significant drop in engagement metrics.
Email Service Providers (ESPs) often use custom tracking domains for link wrapping and open tracking. If these domains are not properly configured with SSL certificates and set to serve content over HTTPS, enabling HSTS on your primary domain will cause issues. For instance, Chrome blocking mixed content means that even if a link redirects to HTTPS, the initial HTTP call will cause a security warning, impacting how users perceive your brand and the deliverability of your emails. This is why using HTTPS for links and images in email marketing is so important.
Furthermore, if your ESP's tracking endpoints do not fully support SSL for all customers, or if they charge a premium for it, HSTS implementation can create a significant hurdle. Users clicking on links from such ESPs might encounter SSL mismatch errors, further degrading the user experience and potentially increasing bounce rates as receiving servers might flag such emails due to security concerns.
These issues can severely impact your sender reputation, leading to your emails being directed to spam folders or even blocklisted (or blacklisted, if you prefer that term) by internet service providers (ISPs). Maintaining a strong sender reputation is crucial for achieving high inbox placement rates, and neglecting HSTS impacts that reputation negatively.
Aspect
Without proper HSTS planning
With proper HSTS planning
User experience
Broken links, security warnings, decreased trust.
Seamless, secure browsing, enhanced trust.
Tracking & analytics
Inaccurate or missing click and open data.
Reliable tracking for accurate campaign performance.
Perceived as unprofessional or insecure due to errors.
Reinforces brand reliability and security.
Preventing HSTS-related email issues
The most effective way to prevent HSTS-related email problems is to foster robust cross-functional communication. Before implementing HSTS, IT, marketing, and any relevant third-party vendors (like your ESP) should collaborate to understand the full scope of potential impacts. This includes auditing all domains and subdomains used for email tracking, link branding, and content hosting to ensure they are HTTPS-ready.
Ensure your ESP's custom tracking domains and link branding features are fully configured to use HTTPS. Many ESPs, like Salesforce Marketing Cloud, provide options for this. If your ESP has limitations or charges extra for HTTPS, it's essential to factor this into your decision-making process. For help with this, you might find our article on SparkPost link branding issues helpful.
After any HSTS implementation or updates to your ESP settings, conduct thorough testing of your email campaigns. Send test emails to various clients and devices to ensure all links resolve correctly and track as expected. This proactive approach can help you catch and rectify problems before they impact your actual subscribers and campaign performance.
Conclusion: Secure your email marketing, too
Enabling HSTS is a beneficial step for web security, providing a more secure browsing experience for your users. However, the path to a fully secure web presence must consider all facets of your digital operations, especially email marketing.
By prioritizing cross-departmental communication and ensuring that all email-related domains and services are HTTPS-ready, you can leverage the security benefits of HSTS without inadvertently jeopardizing your marketing efforts or customer trust. Proactive planning is key to a smooth transition and successful digital strategy.
Views from the trenches
Best practices
Implement HSTS gradually, starting with a short max-age and no preload, then extending it.
Conduct a comprehensive audit of all email links and tracking domains to ensure they are HTTPS-compliant.
Establish clear communication channels between IT, security, and marketing teams before any HSTS deployment.
Common pitfalls
Activating HSTS without updating existing HTTP links in email templates and campaigns.
Failing to communicate HSTS implementation to the marketing team, leading to broken email links.
Assuming all Email Service Providers (ESPs) automatically support HTTPS for tracking links.
Expert tips
Ensure your Email Service Provider (ESP) supports HTTPS for all aspects of email, including click tracking and image hosting.
If your ESP does not offer automatic HTTPS, consider migrating to one that does or implementing a workaround.
Regularly review your HSTS policy and email configurations to maintain alignment and prevent future issues.
Marketer view
Marketer from Email Geeks says clients have been reporting broken links recently, blaming us, and it turned out their IT teams enabled HSTS without informing anyone, which meant ESP settings weren't updated. They feel like something is driving this recent push to enable HSTS.
2022-10-28 - Email Geeks
Expert view
Expert from Email Geeks says they have not heard of anything specific driving a recent push, suggesting it might be similar to DMARC enablements breaking things, possibly due to a blog post by an 'influencer' or an internal drive without proper planning.
Salesforce Marketing Cloud, provide options for this. If your ESP has limitations or charges extra for HTTPS, it's essential to factor this into your decision-making process. For help with this, you might find our article on SparkPost link branding issues helpful.
