HTTP 101: do not transfer anything you don't want 'cached' as a GET request. Not only that, but some browsers will pre-emptively send GET requests or retry them so you'd have the double headache to worry about duplicate requests on the server-side.

It shouldn't require much experience to know when to use POST or some other HTTP verb - banks certainly have no excuse.

Email 101: Clickable links in emails are always GET, so extra parameters are set in the query string.

Marketing 101: User actions should take as little clicks as possible, so the action should be performed as soon as the user clicks the (GET) link.

> Marketing 101: User actions should take as little clicks as possible, so the action should be performed as soon as the user clicks the (GET) link.

Nope, some email clients might prefetch urls in email for various reasons. You should absolutely NOT do this (unless you are decitefully trying to game you engagement metrics.) The only case where you might be able to get away with it is when the user has an active login session that you can verify prior to performing the action.

In the case of email, the sender already knows your email address and so should have no need to put it in the URL. The URL should only have some long random or pseudorandom identifier that has no meaning to anyone but them.