A public 10DLC URL shortener can block your SMS campaign before the first message goes out. In US A2P messaging, public shorteners such as bit.ly or tinyURL can trigger campaign rejection because they hide sender identity and share reputation across unrelated senders.
The safer path is a branded short domain dedicated to your sender identity. It makes the link recognizable, supports 10DLC compliance, and gives legal teams a cleaner way to review how links, tracking, and redirects work inside the campaign.
❗ This article is operational guidance, not legal advice. For regulatory interpretation in your jurisdiction, consult qualified legal counsel.
Why link policy matters before your first message goes out
Link policy is part of SMS compliance because carriers, registration bodies, and privacy teams evaluate URLs before campaigns reach customers. A link is not only a CTA but can affect registration approval, carrier filtering, sender trust, and privacy review.
This is to signal that link shortening is not a minor marketing detail. In A2P messaging, the domain inside the URL can become evidence of sender identity or a red flag.
A message that includes bit.ly/sale may look harmless to the marketing team. To a reviewer, it can look like a public shortener that obscures the destination. To a privacy team, a link with a user-level token can look like tracking that needs a lawful basis and clear disclosure.
If you need the broader marketing case for short links in SMS, read the linked article. This guide focuses on the compliance layer: what your shortener setup signals to CTIA, 10DLC reviewers, carriers, and EU privacy stakeholders. For how that same branded domain should actually look and behave once it reaches SMS, RCS, or Viber, see our per-channel branded link playbook.
What to do:
- Treat link format as part of campaign approval instead of just message design.
- Review short domains, HTTPS, redirects, and tracking parameters before registration or launch.

What a sender-dedicated 10DLC URL shortener means in practice
A sender-dedicated shortener is a short-link setup tied to one message sender, not a public domain shared by thousands of unrelated users. Under CTIA messaging guidelines, the core idea is clear: if you shorten links in SMS, the web address and supporting infrastructure should be dedicated to the sender.
The requirement exists because shared shorteners make accountability harder. If many brands, spammers, or bad actors can all send through the same public short domain, carriers cannot easily connect link reputation to one legitimate sender.
The CTIA principle: Dedicated sender identity
CTIA Messaging Principles and Best Practices do not treat link shortening as a purely cosmetic choice. The guidance expects message senders to use shorteners with a web address and IP space dedicated to that sender when embedded links are used.
Operationally, this points away from public shorteners and toward a branded short domain such as:
go.yourbrand.com/offer
or:
trk.yourbrand.com/order
Domains like these do two things at once. They show the recipient who owns the link and they give reviewers a clearer sender identity signal during campaign assessment.
💡 A public shortener does the opposite. A link like bit.ly/abc123 may be short indeed, but it does not prove that the destination belongs to your brand. It also inherits risk from every other sender using the same public infrastructure.
What dedicated web and IP space looks like operationally
Sender-dedicated does not mean every marketing team needs to build its own shortening engine from scratch. It means the visible domain and routing setup should be dedicated to your brand rather than pooled across unrelated senders.
A compliant setup usually includes:
- a custom short domain owned or controlled by the sender
- HTTPS enabled across the link journey
- redirect infrastructure that does not expose a public shortener domain
- a clear mapping between sender, domain, campaign, and destination
- governance over who can create links and which destinations are allowed
Take a look at how branded short links work for more on the technical setup. From the compliance perspective, the key question is: can a reviewer see that this short link belongs to the sender and not to a public link pool?
Scenario: Your sample message includes go.yourbrand.com/renew The reviewer can see a branded domain aligned with the sender. If the same sample uses tinyurl.com/renewal the link surface is no longer sender-dedicated, even if the final destination is legitimate.
What to do:
- Replace public shorteners with a branded short domain before 10DLC campaign submission.
- Keep the branded domain consistent across sample messages, production sends, and opt-out or account-related links.
💡 Takeaway: A sender-dedicated shortener does more than highlight your brand. It is the link format that keeps sender identity visible to recipients, reviewers, and carrier filtering systems.
10DLC compliance reality: Why public URL shorteners get rejected or flagged
Public URL shorteners create a direct 10DLC compliance problem because they obscure sender identity in campaign samples and live traffic. The Campaign Registry, or TCR, is the registration body used in the US A2P 10DLC ecosystem. If your sample messages include public shorteners, campaign approval can fail before launch.
Rejection code 30892: What it means and how to fix it
Rejection code 30892 is the specific TCR error associated with public URL shorteners or unsecured links in sample messages. It means the reviewer found a link pattern that does not meet 10DLC expectations.
A common scenario looks like this:
Your sample message says:
Your appointment is confirmed. Manage it here: bit.ly/abc123
The campaign is returned with code 30892 because the link uses a public shortener. The fix is not to explain that the final destination is safe but to replace the shortener with a branded, sender-dedicated domain and use HTTPS.
A corrected sample would look like:
Your appointment is confirmed. Manage it here: go.yourbrand.com/visit

💡 Before resubmitting, check every sample message. The short domain should match the brand or sender identity, use HTTPS, and avoid public shortening services entirely.
Carrier enforcement beyond registration
TCR approval is only one layer. Carrier filtering still matters after registration.
AT&T has prohibited public shorteners in bulk messaging because they can be used for URL cloaking. T-Mobile conduct rules also treat shared or suspicious URL behavior as a risk signal. Verizon participates in the same broader A2P ecosystem where sender identity, link reputation, and message content affect traffic treatment.
Replacing public shorteners is not just about passing the check. It also reduces the chance that live traffic is filtered, blocked, or treated as suspicious because the link domain is shared with unknown senders.
For broader security context, see secure links in SMS.
What to do:
- Remove bit.ly, tinyURL, and similar public shorteners from all 10DLC sample messages.
- Use a branded HTTPS short domain before registration and keep it consistent in production traffic.
💡 Takeaway: A public 10DLC URL shortener can fail at registration and continue to create carrier risk after launch. A branded sender-dedicated domain fixes the visible identity problem.
The EU angle: When branded links become tracking links
A branded short domain is not automatically a tracking technology. The EU privacy question starts when the link carries, stores, or resolves a user-level identifier that can connect a click to a specific person. At that point, GDPR and ePrivacy review become part of the campaign approval process.
At this point, link compliance moves beyond the US 10DLC URL shortener problem. In the US, the risk is mainly campaign rejection, carrier filtering, and sender identity. In the EU, the risk is whether the link is used to track a recipient in a way that requires consent, transparency, and a lawful basis.
EDPB Guidelines 2/2023: What changed for URL tracking
EDPB Guidelines 2/2023 clarify the technical scope of Article 5(3) of the ePrivacy Directive. The important point is that tracking is not limited to cookies.
URL tracking, pixels, local processing, and some identifier-based techniques can fall within the same privacy review logic when they store information on, or access information from, a user’s device.
For SMS and RCS campaigns, this starts to matter when a short link is personalized.
A generic campaign link such as:
go.brand.com/sale
is different from:
go.brand.com/sale?uid=12345
The first link points every recipient to the same campaign destination. The second may allow the sender to associate one click with one individual or subscriber record.
This changes the privacy posture of the campaign. The branded domain may look safer and clearer to the recipient, but the tracking design behind it still needs review.

When a token in your link becomes personal data
Under GDPR Article 4, personal data includes information that can identify a person directly or indirectly. A user-level token in a link can fall into that category if it connects the click to a known subscriber, customer, device, or account.
This is not to say that all analytics are off-limits. It means the design matters.
Lower-risk pattern:
go.brand.com/sale?utm_source=sms&utm_campaign=summer
Higher-risk pattern:
go.brand.com/sale?subscriber_id=12345
💡 A campaign-level UTM tells you which campaign drove traffic. A user-level token can tell you which recipient clicked. That is a materially different privacy question.
A safer analytics pattern is to avoid raw PII in URLs and use opaque tokens that are resolved server-side, with access controls, retention limits, and documentation. Even then, if the token can be mapped back to a person, treat it as privacy-relevant and involve your DPO or legal team.
Scenario: Your EU campaign uses a branded short link with a unique token per recipient. Marketing sees it as click attribution. Compliance sees it as URL-level tracking. Both are right. The campaign can still run, but the consent, disclosure, minimization, and retention model must be clear before launch.
What to do:
- Separate campaign-level analytics from user-level tracking in your link design.
- Avoid raw personal data in URLs and document how any token can be resolved, retained, and accessed.
💡 Takeaway: In the EU, the branded domain may solve trust and sender-identity issues, but user-level tracking inside the link still needs GDPR and ePrivacy review.
Compliance-safe analytics patterns
Branded link analytics can support campaign reporting without turning every click into unnecessary user-level tracking. The safer route is to collect what you need for performance analysis, avoid raw personal data in URLs, and document when a link can identify an individual.
For deeper reporting tactics, see our separate guide to branded link analytics.
Opaque tokens vs. raw PII
The main rule is simple: do not place raw personal data in the URL.
Avoid patterns like:
go.brand.com/offer?email=
or:
go.brand.com/offer?phone=15551234567
Those expose personal data in browser history, logs, analytics tools, screenshots, and downstream systems.
A safer design uses opaque tokens:
go.brand.com/offer?t=8f4a92
The token does not reveal the recipient’s identity on its face. It is resolved server-side by systems with access controls, retention limits, and auditability.
This does not remove privacy obligations. If your organization can map the token back to a person, it can still be personal data under GDPR analysis. But it is a better technical pattern than putting subscriber IDs, emails, or phone numbers directly into links.
| Link pattern | What it measures | Compliance posture |
|---|---|---|
| utm_campaign=summer | Campaign performance | Usually campaign-level analytics |
| subscriber_id=12345 | Individual recipient behavior | User-level tracking |
| Opaque token resolved server-side | Individual or cohort behavior, depending on design | Requires review, but avoids raw PII exposure |

Consent, minimization, and transparency
For EU campaigns, the safest operational approach is to separate three questions before launch.
1. What are you tracking? Campaign source, message variant, and channel are different from recipient-level behavior.
2. Why do you need it? Collect only what supports the stated campaign purpose.
3. What have you disclosed? If the link is used for recipient-level tracking, the privacy notice and consent model should reflect that. For jurisdiction-specific requirements, consult qualified legal counsel.
What to do:
- Use campaign-level UTMs where aggregate reporting is enough.
- Use opaque tokens instead of raw PII when recipient-level tracking is necessary.
- Document token purpose, access, retention, and consent basis before launch.
💡 Takeaway: Compliant link analytics starts with data minimization. Measure the campaign first, identify the person only when you have a clear reason and the right legal basis.
Governance checklist: What enterprise stakeholders want to see
Enterprise link governance is about proving that your SMS short domain is controlled, reviewed, and auditable. Marketing, compliance, IT, and security do not need the same details but they all need confidence that links cannot be created, changed, or tracked without oversight.
A practical governance checklist should cover:
- Sender identity: The short domain matches the brand or approved sender.
- Ownership: IT or security knows who controls the domain, DNS, and HTTPS setup.
- Access: Only approved users can create or edit links.
- Destinations: Links point to approved domains and are reviewed before launch.
- Tracking: Campaign-level UTMs and user-level tokens are documented separately.
- Retention: Click data and token mappings have clear retention rules.
- Opt-out paths: Unsubscribe or preference links are easy to identify and test.
- Audit trail: Link creation, edits, and redirects can be reviewed after the campaign.
If your branded domain also powers app deep links, the same governance model should extend to deferred deep linking destinations, not just web landing pages.
This is also where centralization starts to play a role. If each team uses its own shortener, governance becomes fragmented. If the shortener sits inside the messaging stack, the organization has one place to manage domains, redirects, tracking rules, and approval workflows.
For opt-out journeys specifically, see the separate guide to SMS opt-out links.
What to do:
- Assign ownership for domains, link creation, tracking design, and review.
- Keep one approved short-link process for all A2P campaigns.
💡 Takeaway: Governance makes branded links defensible – the domain is controlled, the tracking is documented, and the campaign team can explain every link before and after launch.
Keep your link policy ready before launch
A2P 10DLC compliance, CTIA messaging guidelines, and EU privacy review all point to the same operational rule: your SMS links need clear ownership, safe tracking, and a sender-dedicated domain.
MessageFlow supports custom branded short domains for messaging campaigns, helping you keep links recognizable, controlled, and ready for compliance review before launch.
FAQ – 10DLC URL shortener
No. Public URL shorteners such as bit.ly and tinyURL are not accepted in 10DLC campaign registration. If they appear in sample messages, the campaign can be rejected with code 30892. Use a branded, sender-dedicated short domain with HTTPS instead.
A sender-dedicated shortener uses a web address and supporting infrastructure tied to one message sender. In practice, that means a custom short domain such as go.yourbrand.com, not a public pooled domain used by unrelated senders.
Rejection code 30892 is a Campaign Registry error for sample messages that include public URL shorteners or unsecured links. The practical fix is to replace the public shortener with a branded HTTPS short domain and resubmit the campaign with corrected samples.
Not automatically. A plain branded link without a user-level identifier is different from a personalized tracking link. If the URL contains a token that can identify a recipient directly or indirectly, GDPR and ePrivacy review are needed. Consult qualified legal counsel for your jurisdiction.
Campaign-level UTMs, such as utm_source=sms, usually describe the campaign rather than the individual recipient. User-level parameters, such as subscriber_id or uid, are different because they can identify a person. Use aggregate UTMs where possible and review personalized tokens carefully.
If your branded domain also powers app deep links, the same governance model should extend to deferred deep linking destinations, not just web landing pages.At registration, your 10DLC campaign can be rejected. In live traffic, messages with public shorteners may face carrier filtering or blocking because shared domains are associated with cloaking and abuse. A branded sender-dedicated domain gives reviewers and carriers a clearer identity signal.