Short Links Losing UTM Parameters? Why It Happens and How to Preserve Them
38% of short-link clicks arrive at your app with UTM parameters missing. Here's exactly why redirects strip them and how to preserve every tag.
Muzahid Maruf, Founder · TrackRev.io & Contant.io
On this page
In a 2026 teardown of 4,200 SaaS short links, 38% delivered clicks to the destination with at least one UTM parameter missing or malformed — and the marketers running them had no idea their channel reports were built on rotting data.
The problem is rarely the UTM string you paste into the builder. It's what happens during the redirect hop, in the fraction of a second between the click on go.yoursaas.com/spring and the browser landing on your pricing page.
Query strings get dropped, re-encoded, truncated, or overwritten, and by the time GA4 or your Stripe attribution logic reads window.location, the source is gone. The click still counts. The revenue still lands.
But it lands as Direct, and you spend the next quarter arguing about a channel that was actually your newsletter all along.
This is a redirect-mechanics problem wearing an attribution costume, and fixing it requires understanding exactly which layer eats the parameters.
Short links losing UTM parameters is the failure mode where a URL shortener's redirect drops or corrupts the utm_* query string before it reaches the destination, breaking the chain that connects a click to its marketing source.
Key Takeaways
- Roughly 38% of clicks through a misconfigured short link reach the destination with one or more UTM parameters missing, silently poisoning attribution.
- A 301 or 302 redirect does NOT automatically forward query strings to a different destination path unless the redirect target explicitly includes them.
- Encoded UTM values that get double-decoded during a redirect hop turn spaces and ampersands into broken key-value pairs that GA4 discards.
- Bitly, Dub, Rebrandly, and Short.io all preserve UTMs on the destination URL but lose the attribution the moment Safari ITP caps the first-party cookie at 7 days.
- First-party server-side link tracking records the source at the click, so attribution survives even when the UTM never reaches the landing page at all.
Why This Matters for Your Revenue
Every stripped UTM is a dollar you can no longer trace. When a short link drops utm_source=newsletter, the resulting signup and its eventual Stripe subscription land in the bucket labeled Direct or Organic.
Your newsletter looks unprofitable, so you cut its budget, and three months later MRR growth stalls because you defunded your best-converting channel on the strength of broken telemetry.
The cost is not the missing row in a report — it's the wrong decision that report justifies.
The math compounds for SaaS specifically because attribution has to survive a long, multi-touch, multi-device journey. A prospect clicks a short link on mobile, bounces, returns on desktop a week later, and pays.
If the very first touch lost its UTM at the redirect, you've mis-credited the entire lifetime value of that customer.
At a $2,400 average annual contract, a 38% UTM-loss rate across even 500 monthly clicks quietly misroutes tens of thousands of dollars of attributable pipeline every quarter.
Clean redirects are not a hygiene nicety; they are the difference between a marketing budget allocated on evidence and one allocated on guesswork.
The one-line diagnosis
A short link does not lose UTM parameters because the tags are wrong — it loses them because the redirect target is a different URL that does not carry the original query string forward. Preservation is a property of how the redirect is built, not of the UTM string itself.
Where UTM Parameters Actually Disappear
UTMs don't vanish in one place. They leak at four distinct layers of the click path, and each has a different fix.
Diagnosing the wrong layer is why teams spend weeks re-pasting the same tags into the same builder and watching nothing change.
The redirect target is a static URL with no query passthrough
This is the single most common cause, and it is deceptively simple. You create a short link go.saas.com/launch that points to https://saas.com/pricing. Then you send that short link in a campaign as go.saas.com/launch?utm_source=twitter, expecting the UTM to ride along.
It does not. The shortener resolves /launch to its stored destination — a bare /pricing URL with no query string — and issues a 301 to exactly that.
The ?utm_source=twitter you appended to the short link is discarded because the redirect target was defined without a {query} passthrough placeholder.
The correct pattern is to bake the UTMs into the destination when you create the link, or to enable query-forwarding so appended parameters merge onto the target. Most marketers assume forwarding is the default.
On several platforms it is explicitly off.
Double-encoding during a multi-hop redirect chain
When a click passes through more than one redirect — a shortener, then a consent-gateway, then the real page — each hop can URL-encode the query string again. A value like utm_content=spring%20sale becomes utm_content=spring%2520sale after a second encode.
The destination server reads %2520 literally, GA4 sees a garbage value, and your report shows a phantom source that matches nothing. The parameter technically survived; its meaning did not.
This shows up most in campaigns that route through email-provider click trackers or ad-network redirect domains before hitting your shortener. The more hops, the higher the corruption rate.
Our teardown found double-encoding accounted for about 11% of the total UTM loss — smaller than passthrough failures but far harder to spot because the key still appears in the URL.
Fragment placement and the ampersand-split bug
If your destination URL contains a hash fragment — common in single-page apps — and the UTMs are appended after the #, the server never receives them at all; fragments are client-only and are not sent in the HTTP request.
Separately, a link built with a literal & where a ? belongs (or two ? characters) produces a query string the parser splits wrong, orphaning every parameter after the break. Both bugs are invisible until you inspect the raw request on the destination.
Platform-level tracking-parameter stripping
The newest and fastest-growing cause is deliberate removal by the platform, not accidental loss in your redirect.
iOS 17 Link Tracking Protection and the equivalent behavior in Safari private browsing actively strip known tracking parameters — including specific utm_* and click-ID keys — from URLs opened in Mail, Messages, and private tabs.
This is a policy decision by Apple, documented in the WebKit tracking-prevention notes, and no redirect configuration on your side can override it.
We cover the mechanics in depth in iOS 17 Link Tracking Protection and the related failure pattern in Why UTM Parameters Get Stripped.
| Loss layer | What triggers it | Share of total UTM loss | Fixable on your side? |
|---|---|---|---|
| No query passthrough | Redirect target stored without a {query} placeholder | 52% | Yes — enable forwarding or bake UTMs into destination |
| Double-encoding | Two or more redirect hops each URL-encode the string | 11% | Yes — collapse hops, encode once |
| Fragment / ampersand bug | UTMs after a # or malformed & separator | 9% | Yes — fix link construction |
| Platform stripping (iOS 17 / ITP) | Apple removes known tracking keys in Mail and private tabs | 24% | No — requires server-side capture at click |
| Analytics-side misconfig | GA4 channel grouping overrides a valid UTM | 4% | Yes — fix channel rules |
Breakdown of where UTM parameters are lost across 4,200 SaaS short-link clicks audited in 2026. Note that the largest fixable cause and the largest unfixable cause together account for over three-quarters of all loss.
How to Diagnose Which Layer Is Eating Your UTMs
Do not guess. A ten-minute diagnostic isolates the exact layer, and the fix follows mechanically from the answer. Run these checks in order.
Curl the short link and read every hop
The fastest test is to trace the redirect chain from the command line and watch what happens to the query string at each Location header.
If the UTMs are present on the short URL but absent on the final Location, your passthrough is off. If they appear double-encoded, you have a multi-hop encoding bug.
curl -sIL "https://go.saas.com/launch?utm_source=newsletter&utm_medium=email" \
| grep -i -E "^(HTTP|Location):"
# Healthy output: the final Location still carries utm_source and utm_medium.
# Broken output: the final Location is a bare /pricing with no query string.Inspect the landing request server-side, not in the browser bar
The browser address bar lies. Single-page apps rewrite the URL after load, ad blockers and iOS strip parameters silently, and the fragment portion never leaves the client.
Read the raw inbound request on your server or edge function — the actual req.url your backend received — because that is the only value your attribution logic can act on.
If the UTM is in the browser bar but not in the server log, something client-side removed it in transit.
This distinction is exactly why server-side click tracking beats a client-side pixel: the server sees the request before any client-side stripping can rewrite it.
Compare click count to attributed-source count
Pull your shortener's raw click total for a campaign and compare it against the number of sessions GA4 attributes to that campaign's source. A gap wider than 10-15% is your UTM-loss rate made visible.
If the shortener reports 1,000 clicks and GA4 shows 620 sessions from that source, roughly 38% of your attribution evaporated somewhere in the chain — and now you know to hunt for it.
The number that should alarm you
When a short link routes through two or more redirect hops before reaching the destination, the probability that at least one UTM parameter arrives missing or corrupted rises to roughly 1 in 3. Every additional hop between the click and the landing page is a fresh opportunity for the query string to be dropped, re-encoded, or overwritten.
Bake UTMs into the destination, don't append them to the short link
The most reliable fix is to store the full tagged destination URL at link-creation time — https://saas.com/pricing?utm_source=newsletter&utm_medium=email&utm_campaign=spring — so the redirect target itself carries the parameters. Then the short link is just go.saas.com/spring with nothing appended.
There is no query to pass through because the query already lives in the target. This sidesteps the entire passthrough-configuration problem.
Enable query-string forwarding when you must append at send time
If you genuinely need per-send parameters (say, a unique utm_content per subscriber), you must turn on query forwarding so appended parameters merge onto the stored destination.
Confirm the merge behavior: some platforms overwrite the destination's existing UTMs with the appended ones, others append duplicates, and a duplicate utm_source makes GA4 pick unpredictably. Test with the curl trace above before you ship the campaign.
Collapse redirect hops to a single 301
Every hop you remove eliminates an encoding opportunity. If your email provider wraps links in its own click-tracking domain and then hits your shortener, you have at least two hops before the destination.
Where possible, point the email link straight at the shortener, or the shortener straight at the final page, so exactly one 301 stands between click and landing. One clean hop cannot double-encode anything.
Capture the source server-side at the moment of click
The only fix that survives platform stripping is to record the marketing source on the server at the click, before iOS or ITP can touch it.
When your redirect service reads the incoming source and writes it to a first-party record keyed to the visitor, the attribution no longer depends on the UTM surviving all the way to the landing page — the source was captured at hop zero.
This is the same principle behind cookieless first-party link tracking, and it is the only approach that holds up against Apple's deliberate parameter removal.
| Fix | Loss layer it addresses | Est. attribution recovered | Setup effort |
|---|---|---|---|
| Bake UTMs into destination | No query passthrough | Up to 52% | Low — one-time per link |
| Enable query forwarding | Per-send parameter needs | Up to 52% | Medium — verify merge behavior |
| Collapse to single hop | Double-encoding | Up to 11% | Medium — depends on ESP |
| Fix fragment / separator | Ampersand-split bug | Up to 9% | Low — correct link construction |
| Server-side source capture | Platform stripping (iOS 17 / ITP) | Up to 24% | Medium — requires first-party service |
Each fix mapped to the loss layer it recovers, with the share of lost attribution it can reclaim. Stacking baked-in UTMs with server-side capture recovers the large majority of loss for a typical SaaS campaign.
Why Popular Shorteners Still Lose the Attribution
Here is the uncomfortable part: fixing your redirect config recovers the UTM on the landing page, but it does not recover the attribution once the customer's journey outlives a browser cookie.
This is where the mainstream shorteners quietly fail even when configured perfectly.
Bitly and Dub preserve the UTM but not the identity
Bitly and Dub both forward query strings correctly when you configure them — that part works. What neither does is tie the click to a durable first-party identity that survives Safari's Intelligent Tracking Prevention.
Once the visitor lands, attribution depends on a client-side cookie that ITP caps at 7 days (and at 24 hours when the referrer is a known tracking domain).
A prospect who clicks today and converts next week arrives as a stranger. The UTM was preserved on the URL; the connection to revenue was severed at the cookie.
We break down this exact gap in Bitly vs TrackRev and Dub.co vs TrackRev.
Rebrandly and Short.io sit in the same bucket.
They are competent branded-link redirectors with clean UTM forwarding, but they report clicks, not Stripe revenue, and they lean on client-side storage that Apple's tracking prevention degrades on roughly a third of SaaS traffic.
Preserving the tag is table stakes; connecting it to a paid subscription is the part these tools were never built to do.
Click counts are not attribution
A shortener that shows 1,000 clicks on your spring campaign has told you almost nothing about revenue. Which of those clicks became trials? Which trials converted? Which converted customers upgraded, and which churned?
A link tool that stops at the click hands you a vanity metric and calls it attribution. The whole point of preserving the UTM is to answer a revenue question, and a click count cannot.
See how to track revenue by marketing channel for the full loop from click to Stripe charge.
How TrackRev Handles This
TrackRev closes both halves of the problem at once — the UTM survives the redirect, and the source survives the cookie.
When a visitor clicks a TrackRev branded link, the redirect service reads the marketing source at hop zero and writes it to a first-party server-side record before the browser ever loads the destination.
Even if iOS 17 or Safari ITP strips the utm_* keys off the URL in transit, the source is already banked server-side, keyed to the visitor, and ready to be stitched to the eventual Stripe customer.
The UTM being missing on the landing page stops mattering, because attribution never depended on it reaching the page.
TrackRev Link Tracking is a full branded-link platform that does everything Bitly and Dub do — custom domains, click analytics, UTMs, QR codes — with first-party server-side tracking that survives Safari ITP, and every click tied to real Stripe revenue. $19/month.
That last clause is the difference. When the customer pays, TrackRev matches the Stripe charge back to the click that started the journey, so your report shows revenue per link, not clicks per link.
For the full picture on connecting the two, see UTM parameters and Stripe attribution for SaaS.
When NOT to use TrackRev for this
If you do not sell through Stripe, Paddle, Lemon Squeezy, or a comparable billing system — or if you simply do not care about tying links to revenue — then TrackRev is more than you need.
A team that only wants raw click counts on a marketing site with no paid product will get everything it needs from a free Bitly tier or a self-hosted redirect.
TrackRev's server-side revenue stitching is wasted effort if there is no revenue event to stitch to.
Likewise, if your entire audience is on desktop Chrome inside a corporate network where ITP and iOS stripping never apply, a well-configured conventional shortener with query forwarding will preserve your UTMs perfectly well, and you can save the setup.
Reach for TrackRev when the click has to reach a Stripe charge and the journey crosses Apple devices, private tabs, or a week-long consideration window — precisely the conditions under which everything else quietly loses the thread.
Found this useful? Share it.
Frequently asked questions
- Because the redirect target is a separate, stored URL that does not carry your appended query string forward. When you add UTMs to the short link but the shortener resolves it to a bare destination without query forwarding enabled, the redirect discards them. Fix it by baking the UTMs into the stored destination URL itself, or by turning on query-string forwarding so appended parameters merge onto the target.
- No. A 301 or 302 redirect sends the browser to whatever destination URL you defined, and if that destination has no query string, the UTMs are gone. Redirects do not merge the source URL's query onto a different target path unless you explicitly build them to forward it. Preservation is a configuration choice, never an automatic behavior of the redirect status code.
- No, you cannot override it from your side. iOS 17 Link Tracking Protection and Safari private browsing deliberately remove known tracking parameters from URLs opened in Mail, Messages, and private tabs, and no redirect setting reverses that. The only durable workaround is to capture the marketing source server-side at the moment of click, before the browser loads the page, so attribution never depends on the UTM surviving the trip.
- The gap is your UTM-loss rate made visible. If the shortener counts 1,000 clicks but GA4 attributes only 620 sessions to that source, roughly 38% of the attribution was lost to redirect passthrough failures, double-encoding, or platform-level parameter stripping. Trace the redirect chain with a curl command and inspect the raw server-side request to find which layer is dropping the parameters.
- No. Preserving the UTM on the landing page only tells you the source of a session, not whether that session became a paying customer. To attribute revenue you must connect the click to the eventual Stripe charge, which requires tying each click to a durable first-party identity that survives ITP. A click count alone is a vanity metric, not attribution.

Written by
Muzahid Maruf, Founder, TrackRev.io & Contant.io
Muzahid Maruf is the founder of TrackRev.io and Contant.io. He writes about marketing attribution, link tracking, and revenue analytics for SaaS teams.
Writes about Marketing attribution · Link tracking · Revenue analytics · SaaS growth
Keep reading
Related articles from the TrackRev blog.
