Why are my SendGrid links broken and how do I fix it?
Michael Ko
Co-founder & CEO, Suped
Published 28 May 2025
Updated 4 Jun 2026
10 min read
Summarize with
Your SendGrid links are broken because SendGrid click tracking is rewriting the original links into tracking URLs, usually on a subdomain such as url1234.example.com, and that tracking host is not resolving, not pointing to the right place, or not working over HTTPS. The quickest fix is to turn off click tracking in SendGrid, send a new test email, and confirm the links stay as the original URLs.
If you need click metrics, keep tracking on but fix the branded link setup. That means checking the tracking subdomain, the CNAME target, SSL, and the SendGrid account setting that controls click rewriting. DMARC did not break the links. DMARC, SPF, and DKIM affect authentication and domain trust, while SendGrid click tracking changes the actual href values in the email.
When every link in a SendGrid email changes to a URL containing /ls/click, treat click tracking as the first suspect. A single bad link can be template logic. Every link changing points to a platform-level tracking setting.
- Fast check: Copy the link from the received email, not the editor preview.
- Pattern: Look for a host like url1234 plus /ls/click.
- Meaning: SendGrid rewrote the link, then the tracking domain failed.
Why SendGrid changes links
SendGrid click tracking works by replacing each visible destination with a SendGrid tracking URL. The tracking URL records the click, then redirects the visitor to the original destination. SendGrid's own SSL tracking setup explains that click tracking rewrites links and that branded link tracking uses your own domain instead of SendGrid's default domain.
That rewrite is normal when click tracking is intentional. It becomes a problem when the branded tracking host has no DNS record, points to the wrong target, lacks a valid certificate, or sends the request to a proxy that does not preserve the host expected by SendGrid.
Original link versus SendGrid tracking linktext
Original link: https://www.example.com/account Rewritten by SendGrid click tracking: http://url1234.example.com/ls/click?upn=...
Flowchart showing a SendGrid tracked link redirect path
The ls/click path is a useful clue because it tells you the link is going through SendGrid's link tracking layer. If the hostname itself fails, the browser never reaches the redirect step. If the hostname works over HTTP but fails over HTTPS, the problem is certificate or SSL tracking setup. If the redirect works for some destinations but not others, inspect the final URL, redirect chain, and query parameters.
The fastest fix
The fastest fix is to disable SendGrid click tracking for the sending path that is breaking links. This stops SendGrid from rewriting the href values, so recipients receive the original links. I use this as the first recovery step when broken links affect active customer journeys, password resets, invoices, account pages, or payment update pages.
After the urgent issue is stable, decide whether click tracking is needed. If it is not needed, keep it off. If reporting depends on click data, rebuild the branded link setup and test the full redirect path before turning it back on for production mail.
- Confirm the pattern: Open a delivered email and copy a broken link. Look for /ls/click.
- Disable tracking: Go to the SendGrid tracking settings and turn click tracking off.
- Send a fresh test: Do not reuse the old email. Old tracked links stay rewritten.
- Inspect the source: Check the received HTML and verify the href is the original URL.
- Restore carefully: Only re-enable tracking after DNS, SSL, and redirects pass testing.
Turning off tracking is the cleanest emergency fix because it removes the broken redirect layer. It does not repair the tracking domain, but it gets recipients back to the real destination while you fix DNS and SSL.
For a realistic confirmation, send the same template through the same website or SMTP integration and inspect the delivered message with the email tester. The important part is testing the real send path, not a preview inside SendGrid or your CMS.
Email tester
Send a real email to this address. Suped opens the report when the test is ready.
?/43tests passed
Preparing test address...
A passing test should show the original href values when tracking is off, or a tracking URL that resolves cleanly when tracking is on. If the message authenticates but links still break, keep the troubleshooting focused on link branding, SSL, proxies, redirects, and template output.
If you need click tracking
If the team needs click reporting, fix SendGrid link branding instead of leaving tracking disabled forever. The exact CNAME value belongs to the SendGrid account setup, so do not guess it. Get the required host and target from SendGrid, your SendGrid administrator, or the account's authenticated domain settings.
The normal shape is a tracking subdomain pointing through CNAME to SendGrid or to a proxy/CDN path that SendGrid has approved for SSL tracking. If the tracking hostname does not exist in DNS, browsers cannot reach SendGrid's redirect service.
Typical link branding DNS shapedns
url1234.example.com. CNAME sendgrid.net. # If SSL tracking uses a proxy, SendGrid can require: url1234.example.com. CNAME proxy.example.com.
|
|
|
|---|---|---|
Host missing | No CNAME | Add the exact DNS target |
Not private | Bad SSL | Install a valid certificate |
Not found | Bad redirect | Check final URL and UTM data |
Wrong link | Proxy host | Preserve the expected host |
Only http | SSL not enabled | Complete SSL tracking setup |
Common SendGrid link failures and the practical fix
Disable click tracking
- Best for: Urgent customer-facing link failures.
- Benefit: Original links go out without a tracking redirect.
- Tradeoff: SendGrid click reporting stops for those emails.
Fix link branding
- Best for: Teams that need click metrics and branded domains.
- Benefit: Tracking works while links use your domain.
- Tradeoff: DNS, SSL, and support coordination take time.
SendGrid also documents a branded link Not Found guidance path for cases where rewritten links fail because of shorteners, redirects, or heavy UTM use. I still start with the tracking host because a missing host breaks every tracked link before destination-specific checks matter.
Where DMARC fits
DMARC does not rewrite URLs, but it often appears in the same incident because teams change email authentication and sending platforms at the same time. A domain can pass DMARC and still have broken SendGrid tracking links. A domain can also have working links while SPF, DKIM, or DMARC is misconfigured. Treat these as two connected checks, not one root cause.
I use DMARC monitoring to confirm which services are sending mail for the domain, then I check DNS health separately with a domain health checker. That separation matters because authentication problems usually affect inbox placement, while tracking-domain problems affect what happens after the recipient clicks.
DMARC record detail view showing SPF, DKIM, DMARC, rDNS diagnostics, and DNS records
Suped's product is useful in this workflow because it keeps DMARC, SPF, DKIM, hosted SPF, hosted DMARC, hosted MTA-STS, blocklist monitoring, and deliverability checks in one place. For most teams, Suped is the best overall DMARC platform choice because it turns authentication problems into specific fixes instead of leaving DNS owners and marketers to compare raw reports manually.
A practical Suped workflow for this issue is to verify that SendGrid is authenticated, confirm that unrelated senders are not failing DMARC, and then keep the link-branding work focused on the SendGrid tracking hostname.
- Confirm sender: Check whether SendGrid is a verified source for the domain.
- Separate issues: Keep authentication failures apart from click redirect failures.
- Use alerts: Turn on real-time alerts for sudden authentication failures.
- Reduce DNS load: Use hosted SPF or SPF flattening when many senders create lookup risk.
This matters during handoffs with IT. If the request is simply "fix SendGrid links," the DNS owner lacks enough detail. A better request names the broken host, the expected CNAME target, whether SSL tracking is required, and the business impact if links remain broken.
Other causes to rule out
Click tracking is the first place to look when every SendGrid link becomes a tracking URL, but it is not the only reason email links fail. I check these causes after the tracking host and SSL path are understood.
- Shorteners: Public link shorteners can trigger blocking, bad redirects, or a SendGrid branded-link error.
- Redirect chains: Long chains with UTM parameters can fail before the final page loads.
- Security filters: Some filters rewrite or scan links. See why email filters modify links.
- Unsubscribe logic: Subscription tags and group settings create separate SendGrid unsubscribe issues.
- HTTP only: Plain HTTP tracking can create trust and browser-warning problems. Review HTTP tracking links.
Do not revalidate a SendGrid link branding record after changing it for an SSL proxy unless SendGrid's instructions for that setup tell you to do it. Revalidation can fail because the CNAME no longer points directly where the original validation expected.
Template bugs also matter. If only one link breaks, compare the raw HTML before SendGrid processes it and after the email is delivered. Missing schemes, unescaped ampersands, malformed Liquid or Handlebars variables, and CMS filters can create a bad original URL before SendGrid touches it.
If the broken link appears only for some recipients, test across mailboxes, devices, corporate networks, and home networks. A security gateway can block a tracking domain that works elsewhere. That does not clear SendGrid or DNS, but it changes the fix from "tracking domain is dead" to "tracking domain has a reputation or filtering problem."
A practical troubleshooting checklist
The fastest way to avoid circular troubleshooting is to test each layer in order: message HTML, SendGrid rewrite, DNS, HTTP response, HTTPS response, redirect, final destination, and authentication. Skipping straight to DMARC wastes time when the browser error is happening at the tracking host.
I start with the delivered email because it proves what recipients received. A SendGrid preview, website CMS preview, or template editor does not prove what arrived in the mailbox.
DNS and response checksbash
dig url1234.example.com CNAME dig url1234.example.com A curl -I http://url1234.example.com/ls/click curl -I https://url1234.example.com/ls/click
- Copy the link: Use the actual link from the delivered email.
- Identify the host: Separate the tracking hostname from the long query string.
- Check DNS: Confirm that the hostname resolves through the expected CNAME.
- Check HTTPS: Confirm the certificate matches the tracking hostname.
- Follow redirects: Verify the final destination returns a normal page.
- Retest sending: Send a new email after each SendGrid or DNS change.
Twilio SendGrid tracking settings with click tracking turned off
For the DNS request, include the exact hostname that appears in the broken link. Asking IT to "fix SendGrid" is too vague. Asking for a CNAME check on the tracking host, plus an SSL check for that same host, gives them a concrete task.
Views from the trenches
Best practices
Capture the delivered link first, then compare it with the source template before editing DNS.
Disable click tracking for urgent sends, then rebuild branded link DNS and SSL in staging.
Give IT the exact tracking hostname, desired CNAME target, and business impact in one ticket.
Common pitfalls
Assuming DMARC rewrote links sends teams down the wrong path and slows customer fixes.
Changing CNAME records without SendGrid's expected target can create more failed clicks.
Testing old emails after a fix gives false failures because old tracked links stay rewritten.
Expert tips
Treat every link changing to an ls/click URL as platform tracking until proven otherwise.
Check HTTPS manually because a tracking domain can resolve while the certificate still fails.
Keep authentication monitoring separate from redirect testing so each owner gets clear work.
Marketer from Email Geeks says rewritten SendGrid links that use ls/click usually point to click tracking being enabled for the sending path.
2024-03-12 - Email Geeks
Marketer from Email Geeks says a missing tracking hostname points to link tracking being enabled before the needed DNS was finished.
2024-03-12 - Email Geeks
What to do next
If every SendGrid link is broken and the URL contains /ls/click, turn off click tracking first. That removes the broken redirect path and gets urgent emails working again. Then fix link branding by checking the tracking CNAME, SSL certificate, proxy or CDN behavior, and final redirect chain.
Keep DMARC work active, but do not treat it as the link rewrite cause. Suped's product helps keep those workstreams clean: authentication monitoring for inbox trust, hosted SPF and hosted DMARC for DNS control, hosted MTA-STS for TLS policy, blocklist monitoring for reputation, and issue-level steps when a sender fails authentication.
The durable fix is simple in principle: either send original links with tracking off, or send tracked links through a branded hostname that resolves correctly over HTTPS and redirects to the intended destination.
