Fix awstrack Links Blocking SES Email Notifications (2025)

Context

You are sending emails using AWS SES and users have complained that:

• Clicking on the links in the email shows a warning about awstrack.me
• Warning about images inside the email, even if you have not added any images
• Adblockers complaining about the safety of the email

This is a common problem with AWS SES.

What is awstrack.me?

AWS SES uses awstrack.me to track two things: email open and click events.

1. Open Tracking

AWS inserts a tiny, invisible 1x1 pixel image hosted on awstrack.me into your emails. When the email client loads this image, it registers as an “open” event:

<img
  src="https://r.us-east-1.awstrack.me/I0/12345678-abcd-efgh-ijkl-123456789012/..."
  width="1"
  height="1"
  style="display:none"
/>

2. Click Tracking

AWS wraps all links in your emails with awstrack.me redirects. This means that URLs in your email are changed like below:

https://yourapp.com -> https://r.us-east-1.awstrack.me/L0/https%3A%2F%2Fyourapp.com

When users click on the link, they are redirected to awstrack.me, which records a “click event” and then redirects the user to your original URL. This way, the user’s click is tracked without the user knowing.

So what’s the problem?

Corporate firewalls and many ad blockers like uBlock Origin and AdBlock Plus have specifically flagged the awstrack.me domain for its tracking behavior and block it.

Solutions

Here are three solutions with different cost vs effort trade-offs:

Solution	Cost	Effort	Tracking Preserved
NotificationAPI	Lowest 30,000 emails free /month	Lower Simple API that replaces SES	✅ Yes
SES + Custom tracking domain	Low SES + CloudFront costs 3,000 emails /month	Higher DNS setup, CloudFront Distribution, SSL config	✅ Yes
SES + Disable tracking	Lower Just SES costs 3,000 emails /month	Lowest Just disable in settings	❌ No; loses all tracking data

Solution 1: NotificationAPI

NotificationAPI is a highly-scalable and hassle-free notification service.

Install the SDK:

npm install notificationapi-node-server-sdk

Use it to send emails:

import notificationapi from 'notificationapi-node-server-sdk';

notificationapi.init('CLIENT_ID', 'CLIENT_SECRET');

await notificationapi.send({
  type: 'password_reset',
  to: {
    email: 'user@company.com'
  },
  email: {
    subject: 'Reset your password',
    body: '<p>Hello World</p>'
  }
});

• 30,000 emails free per month
• Additionally can send: SMS, Push, In-App, etc.
• Developer friendly features like: detailed logs, built-in deduplication, throttling, etc.

Read can read the docs and supported email features here.

Solution 2: SES + Custom Tracking Domain

In this approach, you can keep using SES but replace awstrack.me with your own domain.

The difficulty of this solution is setting up an SSL certificate, CloudFront distribution, and Route 53 DNS record. To serve the tracking links from your own HTTPS domain, e.g. https://tracking.yourapp.com, SES requires this CloudFront distribution, which acts as a proxy for the actual tracking links.

SSL certificate is required to serve the tracking links with HTTPS which is more secure and also prevents email clients from showing warnings about content without SSL.

And don’t forget to perform this in every region with SES usage:

Step 1: Set up a subdomain in your DNS settings

Type    Name                  Value
CNAME   tracking.yourapp.com  awstrack.me

Step 2: Set up a SSL certificate for your domain

You can use AWS Certificate Manager to set up a SSL certificate for your domain.

Step 3: Set up a CloudFront distribution

Configure the CDN to the origin which is the SES tracking domain depending on the region, such as r.us-east-1.awstrack.me for example.

The CDN must point to the AWS tracking domain that’s in the same region as your custom domain. The CDN must pass the Host header supplied by the requester to the origin.

The CloudFront will also use the SSL certificate created in the previous step.

In the CloudFront dashboard:

• CNAME (alternate domain name): tracking.yourapp.com
• SSL certificate: the one you created in the previous step
• Origin:
  • Create a new origin:
  • Origin domain: r.us-east-1.awstrack.me (or the region you are using)
  • Protocol policy: HTTPS only
  • Name: anything, e.g. tracking-origin
• Behaviors:
  • Create a new behavior:
    • Pattern: Default (*)
    • Origin: r.us-east-1.awstrack.me
    • Viewer protocol policy: redirect HTTP to HTTPS
    • Cache policy: Not neceesary
    • Origin request policy:
      • Create a policy passing CloudFront-Viewer-Country, Referer, User-Agent, Host headers

Step 4: Verify your domain in SES

In order to use a custom tracking domain, that domain must be verified in SES.

Step 5: Configure SES to use your domain

If using the AWS dashboard, you can do this in the “Configuration sets” section.

aws sesv2 put-configuration-set-tracking-options \
    --configuration-set-name my-config-set \
    --custom-redirect-domain tracking.yourapp.com

Don’t forget to enable SSL in the “Delivery options” section.

aws sesv2 put-configuration-set-delivery-options \
    --configuration-set-name my-config-set \
    --delivery-options TlsPolicy=Require

Step 6: Make sure you using the configuration set when sending emails

You can do this by setting the configuration set as the default for a specific SES identity:

aws sesv2 put-configuration-set-identity-event-destination \
    --configuration-set-name my-config-set \
    --event-destination-name click-tracking \
    --event-destination-type tracking-options \
    --tracking-options CustomRedirectDomain=tracking.yourapp.com

Alternatively, you can specify a configuration set when sending emails using AWS SDK:

await ses
  .sendEmail({
    // ...
    ConfigurationSetName: 'my-config-set'
  })
  .promise();

Result: The tracking links and the pixel are now using your custom domain, preventing them from being blocked by corporate firewalls and ad blockers:

https://yourapp.com/... -> https://tracking.yourapp.com/...

Solution 3: SES + Disable Tracking

Remove all tracking to ensure maximum deliverability:

Via AWS Console:

1. Go to Amazon SES → Configuration sets
2. Select your configuration set
3. Navigate to Event destinations
4. Delete both click and open tracking destinations

Via AWS CLI:

# Disable click tracking
aws sesv2 delete-configuration-set-event-destination \
    --configuration-set-name my-config-set \
    --event-destination-name click-tracking

# Disable open tracking
aws sesv2 delete-configuration-set-event-destination \
    --configuration-set-name my-config-set \
    --event-destination-name open-tracking

Trade-off: You lose all email analytics but gain maximum deliverability.

Testing Your Solution

1. Send a test email
2. In your email client, open the RAW email content. In Gmail, you can do this by clicking the “View Raw” button on the top right corner of the email.
3. Search for awstrack in the email content. You should not see any.

We Are Happy to Help

Whether you use AWS SES or NotificationAPI, feel free to contact us for help.