Well this is concerning.
Going to have to adjust my end-luser instructions, for sure.
Just spitballing here, maybe the right answer is to stop assuming that bog standard email is secure in any serious sense of the word. That would require notifications through another channel.
Since we are forcing MFA apps with Touch ID support on a wide scale (yay!) I suppose magic codes via an app might be viable.
One I have in mind is designed for two way comms with the originating server - press button on phone, you’re in. Would be fairly trivial to utilize that (marginally more secure if all actors trusted) for “Hey I’m a legit site!” Notifications. Just something off the top of my head cause the current paradigm isn’t working.
I’m not even sure how you’d frame this to users beyond “just don’t trust any links in the email”. Sounds like we might just need to accept the fact that email is unreliable. :/