Custom tracking domains: the 15-minute upgrade that saves your inbox rate

Every modern sending platform wraps your links and inserts a tracking pixel. By default, both point at a shared domain owned by the platform — em.lemlist.com, click.instantly.ai, mailchimp.com/track, and so on. Because those domains carry thousands of senders' links, they appear in URIBL and SURBL with remarkable frequency. When that happens, every message you send with a wrapped link in it is flagged.

The fix is a custom tracking domain: a subdomain under your control, pointed at the platform with a CNAME. Reputation becomes yours, blacklists stop affecting you, and as a bonus your links read like track.example.com/xyz instead of em.lemlist.com/xyz. This article walks through what a tracking domain is and how to set one up on the three most common platforms.

What a tracking domain actually is

Two things run through it:

• Open tracking pixel. A 1×1 image loaded from https://track.example.com/open/<id>. When the recipient's mail client loads images, the ESP records an open.
• Click redirects. Every link in your email is rewritten to https://track.example.com/click/<id>, which redirects (HTTP 302) to the real URL. The ESP records the click along the way.

Both live on the same tracking host. When that host is shared across every customer of the platform, its reputation is the lowest common denominator of every campaign sent through it. When it's a subdomain on your own domain, reputation is yours to build and yours to protect.

Why shared tracking domains land in URIBL/SURBL

Large sending platforms serve millions of messages per day through one or a handful of shared tracking hosts. Among those millions are, inevitably, a non-trivial minority of spam campaigns, phishing tests run by security researchers, and customers pushing grey-area offers. All those links route through the same host.

URIBL and SURBL aggregate spam-trap hits and user "this is spam" reports at the domain level. A few hundred reports per week against a shared host is enough to list it. Listings last days to weeks, and the moment it happens every sender on the platform pays the price in their SpamAssassin scores.

You can check a domain yourself: send the URL through multi.uribl.com or query surbl.org directly. MXToolbox has a domain blacklist check that runs 20+ lists at once. Run it against your current tracking domain before and after switching.

The CNAME model

Every major platform supports this. You pick a subdomain like track.example.com or go.example.com, point a CNAME at the platform's target host, and flip a switch in the platform to start using the new domain for your sends.

track.example.com.   IN  CNAME   custom.lemlist-track.io.

The platform continues to operate the server, issue the SSL certificate, and handle the redirects — you just own the DNS entry. No hosting, no software, no ongoing maintenance.

Step-by-step: Lemlist

1. Pick a subdomain. Lemlist recommends something short — link.yourdomain.com or track.yourdomain.com. Avoid words like mail or smtp that might collide with other DNS records.
2. Open Lemlist → Settings → Custom Tracking Domain. Enter the subdomain. Lemlist displays the CNAME target.
3. Add the CNAME at your DNS provider. Cloudflare: add a CNAME record, turn off the orange cloud (proxy). Route 53: standard CNAME record. Make sure the TTL is 3600 or lower.
4. Wait for propagation. Usually under 10 minutes; up to the old TTL if you are replacing an existing record.
5. Verify in Lemlist. The dashboard will flip from "Not verified" to "Active" once SSL has been issued. Lemlist uses Let's Encrypt automatically.

Step-by-step: Instantly

1. Pick a subdomain. Instantly's documentation suggests track.yourdomain.com.
2. Open Settings → Custom Tracking Domain in the Instantly dashboard. Paste the subdomain.
3. Add the CNAME target Instantly shows you (tr.instantly-track.com or similar) at your DNS provider.
4. Click Verify. Instantly checks the CNAME and provisions an SSL cert. If you see a red cross, wait 5 minutes and retry.
5. Enable the tracking domain per campaign — Instantly keeps it off by default for existing campaigns.

Step-by-step: HubSpot

1. HubSpot calls this a Connected Email Sending Domain and it covers both authentication and tracking in one flow. Open Settings → Domains & URLs → Connect a domain.
2. Choose Email sending. Enter the subdomain you want for tracking — HubSpot typically asks for email or hs- prefixed subdomains for consistency.
3. HubSpot generates up to six DNS records: DKIM CNAMEs, a return-path CNAME, and a tracking CNAME. Add all of them.
4. Click Verify. HubSpot checks each record and issues SSL for the tracking host automatically.
5. Flip Use custom tracking domain on in Marketing → Email → Settings.

How to verify it is working

Send a test campaign to yourself. Right-click any link in the email — you should see https://track.yourdomain.com/..., not the platform's default domain. View the source of the message and check the pixel URL too; some platforms change tracking domains independently for links and pixels.

Run the new tracking domain through a URIBL / SURBL check. Ideally it should be unlisted. If it is already listed, you have re-used a subdomain that was previously a tracking host for something else — pick a new one.

SSL/TLS gotcha: Let's Encrypt vs vendor-managed

Most platforms issue their own SSL cert for your tracking domain using Let's Encrypt. That is convenient but it means the platform needs HTTP challenge access to the subdomain. Two things that trip people up:

• Cloudflare proxying. If you enable the orange-cloud proxy on the CNAME, Cloudflare intercepts the challenge and the platform cannot issue the cert. Leave it grey.
• CAA records. If your root domain has a CAA record that restricts cert issuance to a specific CA, Let's Encrypt may be blocked. Add a CAA exception for letsencrypt.org or remove the restrictive CAA.

Subdomain choice: root vs deep

Pick a subdomain distinct from your main brand use. If your app runs on app.example.com and your marketing site on example.com, put tracking at track.example.com or go.example.com — not at the root. This keeps open-tracking traffic separated from real site traffic in analytics, and means a future subdomain blacklist listing can be fixed without touching the main brand.

Some teams go further and use a separate second-level domain for tracking (example-go.com instead of go.example.com). That is overkill for most senders but worth it if you operate multiple independent brands off one sending infrastructure.

Frequently asked questions