Why are click tracking links from my ESP being blocked as dangerous?

Key findings

• Shared domains: A common cause of blocked click tracking links is when an ESP uses shared domains for click tracking across many customers. If one customer's account or link path on that shared domain becomes compromised (e.g., hosting a phishing site), all other customers using the same shared domain may also experience their links being flagged as malicious.
• Reputation spillover: The reputation of a click tracking domain is critical. If the domain itself, or the IP address it resolves to, has a poor reputation due to past abuse or spam, security software will be more likely to block its links. This can occur even if your specific sends are legitimate, as the blocklist might be for the shared infrastructure.
• Security software behavior: Security tools, like Norton, often employ sophisticated algorithms to detect suspicious URLs. They may flag links based on known malicious patterns, the domain's history, or real-time threat intelligence. These systems can sometimes produce false positives, but typically, a flagged link indicates a genuine concern.
• Lack of differentiation: Some ESPs might not sufficiently differentiate link tracking paths between customers. This means a malicious parameter from one customer's URL could potentially be applied to another customer's URL, leading to widespread blocking.

Key considerations

• Dedicated click tracking domains: To mitigate the risks of shared domains, consider setting up a dedicated click tracking domain. This gives you greater control over your link reputation and isolates you from issues caused by other ESP customers. Klaviyo's support documentation suggests this as a solution when shared click tracking domains are blocked.
• Proactive submission: If your links are being flagged, you or your ESP should proactively submit the click tracking domain to major security providers (e.g., Norton, Palo Alto Networks, Bluecoat, Brightcloud) for re-evaluation or re-categorization. This can help clear your domain's reputation faster.
• Website security audit: Even if the issue appears to be with the tracking link, conduct a thorough security audit of your own website and any content linked in your emails. There's a chance your site has been compromised, leading to the flagging.
• Understand ESP practices: Communicate with your ESP to understand their click tracking domain management practices. Confirm whether your domain is truly isolated or if it shares infrastructure in a way that could lead to reputation issues.
• Domain reputation management: Monitor your click tracking domain's reputation using various tools. A good reputation for all domains involved in your email sending, including those for tracking, is key to avoiding blocklists and ensuring deliverability.

Key opinions

• Proactive submission is key: Marketers who've faced similar problems emphasize that submitting click tracking domains directly to security providers for re-evaluation is an effective way to address blockages. This proactive step helps to clear the domain's standing.
• Custom domains offer control: Some marketers prefer to set up their own dedicated click tracking domains rather than relying solely on those provided by their ESPs. This approach offers more control and can prevent issues arising from shared domain blocklists.
• ESP role is crucial: The ESP plays a significant role in managing click tracking infrastructure. If an ESP's shared click tracking domain is compromised, it can impact all customers using that domain, making it essential to work closely with them.
• Check all links: It's not just about the ESP's domain. If your emails contain third-party links to your website, those too could trigger warnings if your site has issues, or if the third-party content is flagged.

Key considerations

• Investigate immediately: When users report blocked links, promptly use online URL checkers from security software providers to gain insight into why the links are flagged. This initial investigation can guide subsequent actions.
• Collaborate with your ESP: If your ESP hosts your click tracking domain, work with them to request re-evaluation from security vendors. They may have established processes for this.
• Consider warming up new IPs carefully: If your ESP suggests warming up a new IP for your click tracking domain, question this approach carefully, as it is generally uncommon for click tracking IPs and may indicate a deeper issue or misdiagnosis. Klaviyo's documentation highlights the importance of dedicated click tracking for avoiding issues, not IP warming.
• Monitor blocklists: Regularly check email blocklists (blacklists) for your sending domains and any associated click tracking domains. Early detection can prevent widespread blocking.

Key opinions

• Shared path vulnerability: Experts highlight that if an ESP's click tracking domain shares paths across multiple customers (e.g., link.customer1.example/URLSTUFF), a compromise on one customer's part can lead to all customers being blocked. This is a critical security vulnerability.
• False positives are rare: While false positives can occur, experts generally agree that if a link is flagged as malicious, there's a strong likelihood of an actual compromise or a serious underlying issue. It warrants a thorough investigation by security professionals.
• Google's granular approach: Google's ability to differentiate between specific paths on a shared tracking domain is seen as a more effective approach. For example, linktracking.example/customer1/url and linktracking.example/customer2/url are treated differently, which helps isolate malicious activity to a specific customer's path rather than the entire domain.
• Warming up click tracking IPs is unusual: Experts express skepticism about the need to warm up a click tracking IP. This practice is typically associated with sending IPs, not click tracking IPs, and its suggestion should be met with questions.

Key considerations

• Verify unique link tracking: Ensure your ESP's click tracking mechanism is sufficiently unique and separated between customers to prevent reputation bleed from a compromised neighbor. This means the paths (the part after the domain) should be customer-specific and not easily transferable or exploitable.
• Consult security professionals: If click tracking links are being flagged, involve your internal security team or external security experts to investigate possible compromises on your website or related digital assets.
• Distinguish between IP types: Understand the difference between a sending IP and a click tracking IP. Issues with one do not automatically mean issues with the other, and the solutions are often different. Sending IP issues are about email delivery, while click tracking issues are about link safety warnings. Abusix highlights the specific role of ESPs in managing IP addresses and blocklists.
• Monitor domain reputation: Regularly review the domain reputation of your tracking links via tools like Google Postmaster Tools for better insight into how these links are perceived by major mailbox providers.

Key findings

• Dedicated click tracking domains are recommended: Documentation from major ESPs, like Klaviyo, explicitly suggests setting up dedicated click tracking domains if shared domains lead to links being blocked. This is a common recommendation to improve deliverability and avoid reputation issues from other users on shared infrastructure.
• ESPs play a role in spam blocking: Abusix documentation highlights that ESPs are responsible for managing their IP addresses and domains, and if an IP address is blocklisted, the ESP must resolve the issue unless the sender uses a dedicated server. This underscores the shared responsibility in deliverability.
• Tracking methods affect metrics: Email on Acid's help resources explain that different tracking methods can cause disparities in email open and click metrics. While not directly about blocking, this suggests that the underlying tracking mechanism can influence how links are processed and perceived by security systems.
• Privacy features impact tracking: Features like Apple's Mail Privacy Protection, as described by Dotdigital, hide IP addresses and prevent senders from linking online activity. While primarily for privacy, such features can indirectly influence how tracking links are perceived by security filters, sometimes leading to more scrutiny.

Key considerations

• Implement dedicated domains: For consistent deliverability and to avoid issues with shared IP or domain blocklists, documentation consistently points to using a dedicated click tracking domain. This provides isolation and better control over your sender reputation.
• Address IP blocklisting at ESP level: If an IP address associated with your ESP is blocklisted, documentation from security firms indicates that the issue typically needs to be resolved at the ESP's end unless you have a dedicated server. This reinforces the need for clear communication with your ESP.
• Monitor deliverability metrics closely: Documentation often emphasizes the importance of closely monitoring email deliverability metrics. Unusual drops in click rates or increases in spam complaints might signal underlying issues with your click tracking links being flagged. This is a good way to uncover hidden factors.
• Review security warnings: Understand the nuances of security warnings, such as Gmail's 'This message seems dangerous' alert, which documentation explains can be triggered by various factors beyond simple malware, including unindexed domains or suspicious patterns.