[obuda]

Another idea is to have 3 links, where only one is visible:

  https://example/com/token?forBots
  https://example.com/token
  https://example.com/token?forBots

Hopefully any automated systems will open the first or last link first, so that you can save the request info and filter based on that. In case requests come out of order, you can always add a small delay to the "human" link before responding.

I haven't yet gotten to implementing any of the authentication on my current project, so I might be missing something really basic.

The next best thing is to set a cookie when requesting the magic link, but the downside (or upside?) is that it will be valid only for the browser it was requested with.

[zenexer]

No link in an email should perform an action on its own. Every link should lead to a confirmation button, at minimum. Too many services automatically open all the links in emails.

[SamBam]

Tons of services send a verification link after registration, and when you click the link you are taken to a page that says "You're verified."

But in those cases there may be an automatic POST after you travel to the link, so it wouldn't be triggered by gmail looking up the url.

[crabmusket]

This may be for the purpose of ensuring the email address itself is deliverable. You don't want someone to sign up with random garbage, then try sending notifications, newsletters, etc. to it- I believe doing so can affect domain reputation.

For this use-case, it seems like even an automated link click would be a good signal of a deliverable email address.

[ziml77]

Not just deliverable, but also that it's correct. There's a lot of people who think that my {firstname}{lastname}@gmail.com email address is their own. If they try to register it somewhere, a verification email stops them from completing the registration.