[atoav]

One thing I have learned about verification is:

Don't just put a link into your mail that directly verifies an email when visited. At least put some button or code input field there.

Why? There are mail clients that will automatically open links for users and if that link is now invalid the user is confused about being able to click them.

[greengreengrass]

Or, even easier, just make the call idempotent. The user doesn’t know anything and doesn’t have extra clicks, and it doesn’t matter much if the mail client actually did the “confirming” given it’s proven the email address is valid at that point.

The token was recently used? No problem! Must be a duplicate click, or a refresh, or the user left the browser tab open and their mobile device refreshed when they reopened the browser app, etc.

[Dylan16807]

You don't send confirmation links just to prove the address is valid.

[Ekaros]

Also much more critically. Just because mail is successfully delivered does not mean it is in the right inbox. So just link being visited by automation is far from enough in confirming that right person received the mail.