Trusting whois data isn't a good idea. With most registrars you can write into those fields whatever you want. Just because a domain tells you it belongs to someone, doesn't actually mean that it belongs to this person.

Well, yeah, it's generally a first step — last few cases were Kickstarter-related campaign stuff, so I could look for evidence that they actually sent it, and then hope it's actually that thing. But this just goes further to illustrate that this is a really bad idea — there is good way to validate such an email.

It's rarely up to a developer. For websites with large email campaigns there's usually a third party system, which has some link tracking feature. And guess what, your marketing department is using it, and they don't want to switch to your custom one (which will take a few months to code, debug, implement all kinds of reporting compatible with what they do now).

In this case one could simply write a script that forwards the request from your own domain to the third party system. It could be done on the server in such a way that the user would never leave your own domain:

1. User clicks http://links.example.com/?redirect=example.com/reset_passwor...

2. The server running on links.example.com makes a request to the third party web server

3. The server redirects the user to http://example.com/reset_password

If doing this, it'd be critical to ensure the redirection script only redirects to example.com, otherwise a phisher could use it. Probably safer to have it only take a path actually

If the server running on links.example.com, wouldn't the 3rd party web server lose out on doing things like setting cookies in the client's browser or determining their rough location via IP address?

Not that I'm particularly a fan of either practice, but there's probably some use cases there that would have to be accounted for in some way that the 3rd party service could accommodate.

If that were needed perhaps links.example.com could display an iframe containing the third party site.

I agree that neither approach is ideal, but it would prevent users from receiving third party links in their emails.

Those cookies would be blocked for browsers with 3rd-party cookies disabled, and Firefox is making that option the default at some point in the near future.

Going to mkt5371.com (the domain in the tracked link) gives you a static landing page with a abuse@silverpop.com contact. This tells me one of two things:

1) Silverpop doesn't have an option to disable tracking for specific links included in emails sent from their system or

2) The person creating the email failed to take advantage of this feature.

If Evernote wanted to take advantage of this feature on purpose in order to determine what percentage of their userbase has reset their password, then I'm baffled why they decided to trust a 3rd party lead management system instead of the updated_at fields in their database.

Either way, the whole point of purchasing Silverpop is that you can avoid having to code your own solution.

You would have to know the URL on the third party server to redirect to. And usually, you don't, because they are generated internally by some pre-processor.

Why can't you automagically redirect from mkt5371.evernote.com/anything to links.evernote.mkt5371.com/anything ?

Better yet, simply point your DNS "passwordreset.evernote.com" to the same server.

Because you don't know what that "/anything" is, only your mailing system does, and it converts links in your email template to these mkt5371-type links right before it sends out the email.

Why do I need to know anything at all about the link structure beyond the domains?

If the user requests (from a link in the mail) "mkt5371.evernote.com/foo123", redirect to "links.evernote.mkt5371.com/foo123"; If they request "/bar456?id=asdask", redirect to the same query under the mailer's domain.

I would have believed you if I weren't working for a website with large emails campaigns. And this comment wasn't even aimed at "the developer", not really — but at anyone involved in decisions like this.