Marketing Cloud SSL Certificates Overview

What is an SSL certificate and why do I need it?

SSL certificates keep online interactions private even though they travel across the public Internet, and they give your visitors the confidence to transact with your website. SSL validates site identity and secures data in transit. All Marketing Cloud domains should be secured with SSL before use.

Which domains should be secured?

cloud.<custom domain>.com	cloud subdomains serve pages from the CloudPages landing pages product
click.<custom domain>.com	click subdomains are used to generate subscriber-specific click-tracking URLs
view.<custom domain>.com	view subdomains are used to generate 'View in Browser' links when the %%view_email_url%% Personalization String is called
image.<custom domain>.com	image subdomains serve images and related assets stored in Content Builder

SSL Setup

1. Purchase SSL SKUs for your Marketing Cloud account

SSL is not included in our Sender Authentication Package but can be purchased as an add-on to secure the URLs described above.

NOTE: You will need to complete the configuration of your Sender Authentication Package (SAP) before you can set up SSL for those domains.

2. Certificates can be issued in two ways:

a. Marketing Cloud purchases the SSL certificate on your behalf via DigiCert
b. Provide your own certificate (Not supported on image subdomains)

We recommend allowing Marketing Cloud purchase the certificate on your behalf. This has the quickest turnaround, and makes renewal seamless.

An SSL SKU purchase is required even if the certificate is customer-supplied.

3. Secure your domain.

If you plan to use Marketing Cloud-purchased certificates, use the Domain SSL Certificates page in Setup to quickly secure your domain.

Find detailed usage guidelines in Secure a Custom Domain .
See also, Secure a Domain Using a Custom SSL Certificate

DNS Considerations

CAA records control the list of certificate authorities (CAs) allowed to issue certificates on behalf of a domain. When no CAA records exist, all CAs can issue on a domain's behalf. When any CAA record exists, the CAs allowed to issue on behalf of that domain and its children are limited to those explicitly allowed by these records.

If CAA records exist and Salesforce-supplied certificates are used to secure custom domains on self-hosted DNS, ensure that this record is placed:

CAA 0 issue "digicert.com"

The record should be inserted at the SAP domain level or higher.

CAA record restrictions can sometimes be inserted by network administrators unbeknownst to Marketing Cloud SAP owners. If you are using Salesforce-supplied certificates, it's recommended that your DNS or security admins be made aware of this so that any CAA record changes are made in accommodation of this requirement.

Additional Information

Marketing Cloud issues single-domain certificates for click, view, and cloud subdomains. Multi-domain SAN certificates are issued for image subdomains.
For CloudPages that were created before SSL was implemented, a redirect will not be forced for HTTP versions of the URL that exists to push navigation to the HTTPS version of the URL. In the CloudPages application, there is an option to update SSL for existing pages to HTTPS within Page Details.
Each SSL SKU secures a single hostname. In Marketing Cloud, SAP domain refers to a collection of hostnames (subdomains) used to provide the product's functionality. SAP hostnames that should be secured with SSL include the click, view, image, and cloud subdomains. Thus, 4 SSL SKUs are most commonly used to secure a SAP domain.