Lots of schools and companies do this; I understand why, but it makes it hard to communicate with people at such institutions.
And that's not even considering the security and privacy risks to email users from third-party email scanning and rewriting.
I could also imagine legal issues going both ways, particularly if the third party is tempted to retain data about email users.
For example, some universities that use Gmail and Google Apps for Education (for example) required that Google not scan student email, presumably due to privacy and legal requirements, or faculty email (due to faculty objections), and Google itself ultimately abandoned the practice in the face of a lawsuit.
Disclaimer: Involved in building these sort of systems so I can go on about a lot (though not as much detail as I'd like).
At this point, most security vendors that handle email do this (or offer it). The main reason for re-writing is its device independent. A browser plugin only gets you so far, and doesn't handle modern needs where devices that have mail access will be unmanaged.
The tradeoff is yeah, the URLs are ugly. There's a balance between highlighting where the URL goes, embedding the info necessary for redirects, preventing redirect abuse, per user policy, etc.
In the end, its all really about buying time. At mail delivery time, you can only get some % of threats. Given there's a gap between delivery, and click time, you can use that to your advantage and at least prevent some % of the user base being exposed to bad stuff.
On top of it all, you have all sorts of edge cases like what to do with things that aren't URLs, but mail clients turn into clickable links. What about URLs in attachments? \o/ Time to run away.
Microsoft has the same service for Office 365 users. We also get a warning when an email comes from a domain other than ours. This is to help warn users of possible scams using spoofed email addresses.
Ironically, this makes spotting the security team’s phish-testing emails even easier, because they don’t have the warning header or middleman-obfuscated URLs.
I can understand the problems of phishing etc. for probably the majority of email users at a large institution...but then you have every link rewritten to look stranger, and tons of data (links sent, clicked on, with all the metadata of that) in the hands of a 3rd party. I don't think this is the right solution, is this really the best we can do right now?
And that's not even considering the security and privacy risks to email users from third-party email scanning and rewriting.
I could also imagine legal issues going both ways, particularly if the third party is tempted to retain data about email users.
For example, some universities that use Gmail and Google Apps for Education (for example) required that Google not scan student email, presumably due to privacy and legal requirements, or faculty email (due to faculty objections), and Google itself ultimately abandoned the practice in the face of a lawsuit.
https://marketbrief.edweek.org/marketplace-k-12/google_aband...