CNAME & HTTPS Tracking Issues in DKIM

If you're completing Domain Verification (DKIM), one common security concern that can come up is the CNAME record for Mailgun and how it relates to HTTPS links and phishing risk for the CNAME record. There are some options for both below:

CNAME Complexity

The CNAME record that is part of DKIM is for email tracking, which could pose a security risk since users might see mailgun.com instead of the official customer subdomain. The problem is that not adding that record can also impact our ability to track emails. Couple options for how to handle this:

1) Proxy the CNAME so that mailgun.com doesn't show in DNS queries like in the following article: https://help.mailgun.com/hc/en-us/articles/360011566033-How-to-Enable-HTTPS-Tracking-Links but there’s one caveat, assuming the company is using Google Cloud CDN, is that technically Mailgun only supports CloudFlare for this kind of proxy for HTTPS. It should work with any CDN but not officially supported.

2) Remove CNAME for Mailgun but it will break Pool email open and click tracking. Not a huge deal. Important note that the CNAME records for SES are for incentive & scheduling delivery.

Note: removing the SES CNAME records would impact incentive delivery.

HTTPS Tracking Links

If you're company forces HTTPS for all subdomains, we need to match that setting in Mailgun.

Couple of options for how to proceed:
Option 1) Consider a “Flexible” setting for SSL just for uxr.company.com. In any CDN that the company uses, you would configure a CNAME entry and page rule for that. Again this is straight from Mailgun, and not something we control at all, unfortunately.

Option 2) Disable click tracking. This requires no changes on your side but would break engagement stats in Ethnio. Emails and links would all still work, so might depend on how important longitudinal engagement metrics are for your team.