Skip to main content

Why do I get SSL issues when clicking links in E-Mails from Sendgrid?

Identify and resolve SSL and link access issues for SendGrid branded tracking domains.

Step 1 – Identify the Symptom

User reports one of the following:

  • Branded link does not open
  • Browser shows certificate warning
  • Issue occurs only in corporate networks
  • Error message: 
    NET::ERR_CERT_COMMON_NAME_INVALID

➡️ Continue to Step 2

Step 2 – Check the Presented SSL Certificate

Open the branded link in a browser and inspect the certificate.

Is the certificate issued for the branded domain?

  • ✅ Yes → Go to Step 6
  • ❌ No (certificate shows *.sendgrid.net) → Go to Step 3

Step 3 – Check External DNS Resolution (Public DNS)

Run the following commands. Replace <tracking-domain> with your branded tracking domain (e.g. url123.mail.company.com).

Linux / macOS

dig @8.8.8.8 <tracking-domain>

Windows (PowerShell)

Resolve-DnsName -name <tracking-domain> -Server 8.8.8.8

Step 4 – Check Internal DNS Resolution (Corporate Network)

Run the same command without server attribute.

Linux / macOS

dig <tracking-domain>

Windows (PowerShell)

Resolve-DnsName -name <tracking-domain>

Does the result match Step 3 exactly?

  • ✅ Yes → Continue to Step 5
  • ❌ No → Root Cause Identified
    • Internal DNS override / split DNS
    • Internal resolver returns A/AAAA instead of CNAME
    • Fix internal DNS to match external CNAME
    • Then continue with Step 5

Step 5 – Revalidate in SendGrid

  1. Inform us via Support Portal to revalidate the CNAME entries for you

➡️ Continue to Step 6

Step 6 – Validate Final State

Open the branded link again.

Expected result:

  • Certificate CN/SAN matches the branded domain

  • Issuer: Let’s Encrypt

  • No browser warnings

  • Link works in:

    • Home network
    • Corporate network
    • VPN

  • ✅ Works → Issue Resolved

  • ❌ Still failing → Go to Step 7

Step 7 – Advanced Checks

  • Verify the tracking domain is used in only one SendGrid account
  • Ensure no wildcard DNS records affect the domain
  • Confirm no proxy/CDN (e.g. Cloudflare) is intercepting traffic
  • Check DNS TTL and propagation delays

If unresolved:

  • Create a new tracking subdomain
  • Configure it with a clean CNAME
  • Update SendGrid Link Branding

Key Rule

If a branded SendGrid link presents a *.sendgrid.net certificate, DNS resolution is incorrect or inconsistent.