Almost every list of security recommendations includes some advice telling users to hover over a link in an e-mail to make sure it goes to the intended place, especially for sensitive e-mails like banks or that may ask for credentials. So, why do so many mail-sending services break this? Not only do they use links that don't match, I've seen several that use domains that look like outright scams.
I understand wanting to track clicks and e-mail opens but there needs to be a little sanity here. Take this example from a Twilio "your account has a ToS update" e-mail I just received:
- The text says the URL is "www.twilio.com/legal/tos"
- The actual (modified by me to be generic) URL is: http://s815114181.t.en25.com/e/er?s=987654321&lid=0011&elq=123456789012345678901234567890ab
Why on Earth would we want users to click a link that looks like that? Why not at least use a link that is the same as the actual link but with query parameters or, even better, why track the clicking of this link at all?
often the systems that send these emails incorporate an analytics service. query parameters would require an integration with the site's traffic log. privacy implications for site owners
why
- Disconnect between those who care about security and those who engineer marketing email systems.
- analytics is useful (a/b testing), especially in internet marketing