Shared ESP tracking domains like click.sendgrid.net and email.mailgun.net pool their reputation across every tenant on the platform, so one spammer's blasts drag your click-throughs into spam folders and Safe Browsing warnings. Owned redirect subdomains tie click reputation to your sending domain, keep DKIM/SPF alignment intact, survive ESP migrations without breaking historical links, and stop Gmail and Outlook from flagging third-party hostnames as phishing redirects in the user's browser.
High because a poisoned shared tracking domain suppresses deliverability and click-through across every campaign until migration completes.
Register a subdomain such as clicks.yourdomain.com or track.yourdomain.com, configure it as a custom link-branding domain inside your ESP (SendGrid Sender Authentication, Mailgun Sending Domains, or Resend custom domains), point the required CNAMEs at the ESP, then route every outbound link through a single buildTrackedUrl() helper so no campaign falls back to the shared default.
return `https://clicks.yourdomain.com/r?${params.toString()}`
ID: campaign-analytics-attribution.tracking-implementation.click-tracking-owned-domain
Severity: high
What to look for: Examine how click tracking URLs are constructed. Look for URL rewriting logic that wraps original links. Check whether click redirect URLs use the project's own domain or subdomain (e.g., clicks.yourdomain.com, track.yourdomain.com) versus a third-party tracking domain (e.g., generic SendGrid or Mailchimp tracking domains). An owned tracking domain is a custom domain configured with the email service provider's click-tracking infrastructure.
Pass criteria: Click tracking URLs use a custom subdomain owned by the project (configured as a custom tracking domain in the ESP). The redirect domain matches the sending domain or a related owned domain. Quote the actual tracking domain found in the link-building code or ESP configuration. Count all link-building utilities and verify at least 1 uses the custom domain.
Fail criteria: Click tracking uses a shared third-party tracking domain (e.g., click.sendgrid.net, email.mailgun.net without a custom domain configured). Or no click tracking infrastructure exists. An ESP account with default tracking enabled but no custom domain configured does not count as pass.
Skip (N/A) when: The project sends email but does not implement click tracking.
Cross-reference: The Sending Pipeline & Infrastructure Audit covers DNS authentication (SPF, DKIM) for the sending domain, which must align with the tracking domain for optimal deliverability.
Detail on fail: Example: "Click tracking URLs use shared SendGrid domain click.sendgrid.net — reputation tied to shared pool, not your domain" or "No click tracking URL rewriting found"
Remediation: Configure a custom click tracking domain with your ESP:
// For SendGrid: Add a custom link branding domain in Settings > Sender Authentication
// For Mailgun: Configure click tracking with a custom domain in Settings > Sending Domains
// For Resend: Custom domains are used automatically for click tracking
// In your link-building utility:
function buildTrackedUrl(originalUrl: string, contactId: string, campaignId: string, linkId: string): string {
const params = new URLSearchParams({
cid: contactId,
camp: campaignId,
lid: linkId,
url: originalUrl
})
// clicks.yourdomain.com must be configured as your ESP's custom tracking domain
return `https://clicks.yourdomain.com/r?${params.toString()}`
}