Secure Tracking

Mailgun supports enabling the HTTPS protocol on open, click and unsubscribe tracking URLs. Mailgun utilizes Let’s Encrypt with HTTP-01 challenges via your existing tracking CNAME record to issue a TLS certificate. This configuration also supports HTTP Strict Transport Security (HSTS).

Initiate generation of an x509 keypair

This call generates a TLS certificate for the Tracking domain and returns a status URL.

POST /v2/x509/{domain}
Path parameter Description
domain The tracking domain for which the x509 key pair will be generated

Sample Request

curl -X POST

Sample Responses

202 Accepted: x509 keypair generation has been initiated

    "message":  "Initiated x509 key pair generation",
    "location": "/v2/x509/"

400 Bad Request: tracking domain has missing/incorrect CNAME record

    "message":  "invalid CNAME record",

402 Payment Required: account is not enabled to use HTTPS link tracking based on billing plan

    "message":  "upgrade your account to enable this feature",

409 Conflict: x509 keypair already exists or is pending for this tracking domain

    "message":  "x509 key pair generation has already been initiated for",

Get the status of an x509 keypair

GET /v2/x509/{domain}/status
Path parameter Description
domain The link tracking domain assoicated with the x509 key pair

Response contains certificate, status, message, and possibly an error depending on status.

Status Meaning
active success (i.e. (re)generation complete)
processing (re)generation in-progress
expired expired
error error during (re)generation