Almost every list of security recommendations includes some advice telling users to hover over a link in an e-mail to make sure it goes to the intended place, especially for sensitive e-mails like banks or that may ask for credentials. So, why do so many mail-sending services break this? Not only do they use links that don't match, I've seen several that use domains that look like outright scams.
I understand wanting to track clicks and e-mail opens but there needs to be a little sanity here. Take this example from a Twilio "your account has a ToS update" e-mail I just received:
- The text says the URL is "www.twilio.com/legal/tos"
- The actual (modified by me to be generic) URL is: http://s815114181.t.en25.com/e/er?s=987654321&lid=0011&elq=123456789012345678901234567890ab
Why on Earth would we want users to click a link that looks like that? Why not at least use a link that is the same as the actual link but with query parameters or, even better, why track the clicking of this link at all?