search
Ctrlk
PricingContact supportOpen app

Click Tracking Blocked – SSL Cipher Error

Received a 'Click tracking disabled - custom hostname blocked' alert? Read this article and learn how to fix SSL errors when using custom domains for click tracking in Mailtrap Email API/SMTP.

Click tracking or custom domain tracking issues include SSL_ERROR_NO_CYPHER_OVERLAP or Error 1001 errors.

Browser showing SSL_ERROR_NO_CYPHER_OVERLAP or Error 1001 when accessing custom tracking domain
Custom domain blocked: SSL error when accessing custom domain for click tracking

hashtag
Understanding custom domain click tracking

Mailtrap allows you to use your own domain for click tracking. To achieve this:

  1. You add an mt-link CNAME record during the domain setup process

  2. Mailtrap issues a security certificate for the mt-link subdomain to ensure a secure connection

  3. Certificates from Let's Encrypt and Google Trust Services are used

hashtag
Why your custom hostname was blocked

The primary cause for custom domain tracking issues is that some domains have a list of trusted Certificate Authorities (CAs) specified in CAA records.

circle-exclamation

If your CAA records don't include Google Trust Services and Let's Encrypt, Mailtrap won't be able to request certificates from them. This prevents click tracking from working because browsers can't establish a secure connection, hence the custom hostname issues.

hashtag
Checking your CAA records

You can check the CAA records for your domain using this command:

The output might look similar to this:

In this example, the domain only allows GlobalSign to issue certificates, which is why Mailtrap cannot obtain a certificate.

hashtag
Solution: Update CAA records

You have two options:

Option 1: Add required CAs (recommended)

If you want to keep your existing CAA records, modify them to include Google Trust Services and Let's Encrypt:

Option 2: Remove CAA restrictions

If you don't need to restrict which CAs can issue certificates for your domain, you can remove the CAA records entirely.

hashtag
How to add CAA records

CAA Record Configuration

Field
Value
Description

Name

blank or @, depending on your provider

TTL

1 hour or any other appropriate TTL

Controls how long the record is valid.

Flag

0

0 means that no flags have been set. Please read your DNS provider's documentation for specific behavior.

Tag

issue

Allows the CA to issue certificates for this domain and its subdomains (e.g., mt-link subdomain).

Domain

pki.goog; cansignhttpexchanges=yes OR letsencrypt.org

Google Trust Services needs the additional parameter cansignhttpexchanges=yes.

circle-info

You'll need to create two separate CAA records: one for Google Trust Services and one for Let's Encrypt.

hashtag
Verification

After updating your CAA records:

1

Wait for DNS propagation

It can take several hours for the changes to your CAA records to propagate. This varies by DNS provider and TTL settings.

2

Verify CAA records

Run the dig CAA example.com command again to confirm the new records are in place.

3

Test your mt-link subdomain

Once propagated, you should be able to access your mt-link subdomain without SSL errors:

hashtag
Additional resources

For DNS setup guides specific to your provider, see:

  • AWS Route 53 Setup Guide

  • Cloudflare DNS Setup Guide

  • GoDaddy DNS Setup Guide

hashtag
Need help?

If you're still experiencing SSL errors after updating CAA records:

  • Wait at least 24 hours for full DNS propagation

  • Verify the records are correctly formatted (check for typos)

  • Contact your DNS provider for CAA record support

  • Reach out to Mailtrap support at [email protected]envelope

PreviousFrom Header MismatchNextOffice 365 Quarantine

Last updated

Was this helpful?