Apart from your sending domain used to send your emails, a link subdomain is also set up for your license.
This subdomain will host the following elements:
the images that you import into Actito (be it through HTML or from the editor),
the forms that you create on Actito,
the redirection page that allows Actito to track your links,
your emails' mirror page and the unsubscribing scenario.
Links subdomain usually follow the paradigm links.yoursendingdomain.com or link.yoursendingdomain.com.
For example, the link subdomain for our sending domain actito.news is link.actito.news.
The link subdomain uses the HTTP protocol by default.
HTTP and HTTPS protocols
The HTTP protocol (for Hypertext Transfer Protocol) is a client-server communication protocol that allows sending and receiving information from and to web servers. It's the basis to access all the internet resources.
When the HTTP protocol is used, information is unencrypted and so is the connection. The information exchanged is therefore visible and could be retrieved by a third person.
In contrast, the HTTPS protocol (S for Secure) is secured. It uses a coding protocol, the SSL (Secure Socket Layer) protocol, that allows for an encrypted connection between client and server. Only those who have the decoding key will be able to decode the information.
This is the right protocol to exchange confidential data, for example in the case of a connection page, especially when sensible data, such as bank details, are involved.
Why use HTTPS on Actito?
Actito forms are not conceived to work as connection pages and the images that you use in your campaigns are, generally speaking, not confidential. On top of that, the use of HTTP is not banned.
So, why using a secured protocol then?
Your license and Actito's site uses HTTPS.
This article is about your particular link subdomain's security.
There are several reasons to use HTTPS in your license:
Your profiles might state personal data in your public forms.
You use profile attributes in your image parameters.
When using HTTPS, the browser address bar that will show that the connection with the sites hosted by your subdomain is secured (just like in the Actito sites example above). Browsers also mark HTTP pages as not secure connections.
In the B2B sector, the network configuration of some organizations, including yours, might not trust the HTTP protocol. That's why it's necessary to whitelist your subdomain.
Google Chrome and, by extension, Chromium, the latest version of Microsoft Edge, refuse the so-called mixed content, that is to say, a site using HTTPS (such as your Actito license) loading resources in HTTP (such as the images hosted by your subdomain). This is the reason why you won't be able to view the images in the HTML editor preview. This restriction doesn't apply to other browsers, like Mozilla Firefox and Safari.
It is expected that Chrome will push more and more for the standardisation of HTTPS and that other browsers will follow the trend.
Your link subdomain hosts the redirection page that allows Actito to track your messages. Even if your subdomain uses HTTP, the final direction will be encrypted.
This means that if you use personalizations based on profile attributes in your link additional parameters, they will appear only in the final URL, which is your website's.
They will not be shown in the redirection page, even if your subdomain is not secured, as you can see in the following example:
How to use HTTPS?
The HTTPS protocol requires setting up an SSL certificate. This certificate verifies that a domain belongs to an organization or company.
Your link subdomain is usually based on your sending domain, which is usually in your company's name but delegated to Actito. This form of joint guardianship means that there are 2 options to set up the SSL certificate on your domain.
The default option is to let Actito handle the whole certificate process: using the Let's Encrypt solution, we will generate a free certificate, valid for 3 months but automatically renewed. This standard certificate will not be tied to the name of your Organization.
The other option is to handle the certificate on your side, by purchasing a custom certificate with a signing request in the name of your company and transferring it to Actito. Purchased certificates are usually valid 1 year and are the way to go if you want to display the legal name of your Organization when a user clicks on the details of the certificate.
Using free, automated certificates
Unless there are strong requirement for you to keep the certificate management on your side, we advise you to use the default process with free certificates that are renewed automatically. These certificates are equally valid as custom ones, with the main difference being that more details can be displayed when someone clicks on the 'secure' icon to review custom certificates.
This process is automatically used unless you specify that you want to use your own SSL certificates during the deliverability set-up or at the expiration of your current certificate.
Actito wants to make sure that your profiles do no experience security warning when clicking on links in your e-mails. Because using the HTTPS protocol has only benefits and no downsides, all link domains without any active certificate will be automatically certified using Let's Encrypt as of the 2nd of June 2023.
Setting up your own certificate
To manage your own certificate, the following process should be followed:
1. Generating a CSR
A CSR (Certificate Signing Request) is like a digital ID card that allows you to apply for a certificate by the relevant authority.
The CSR includes your company data, but is issued by Actito, using, of course, the information that you transfer to us.
Applying for a CSR
To apply for a CSR, you can send your application by email to email@example.com after informing your account manager.
The following information should be specified:
Common name: Your domain's full name. We recommend obtaining one certificate per domain.
Organization: Your company's or organization's legal name.
Organizational Unit: The department responsible for managing the certificate (optional).
Location: The city where your company is located.
State/Province/Region: The state, province, or region where your company is based.
Country: Country code (ISO code) where your company is based.
Email address: Email address of the person responsible for the process.
Actito will manage the process and send you the CSR.
2. Purchasing a certificate
Once you have a CSR, you can purchase a certificate by the relevant authority. Given that the certificate will have your name, it's your company who will be in charge of managing this part.
It's better to choose a certificate that will be valid for, at least, one year. They usually cost between 50 or 150€, depending on the issuing authority.
3. Installing the certificate
Send the certificate to us (you can do it through the email address firstname.lastname@example.org) and we will take care of installing it in our servers.
4. Setting up the HTTPS
Actito will set up the HTTPS on your subdomain, which will be, from that moment, secured.
Certificates are usually valid for a year. Even if Actito occasionally verifies what certificates will expire soon, we advise you to carefully verify your certificate's validity and to start the renewal process when it's about to expire.
For that you will need a new CSR.