We have a lot of other cool stuff in emails like single click logins, viewing pixels with custom payloads, our open source drip campaign mailer for Django, and much more. If there is any interest, I'd be happy to go into deeper detail.
Basically, reuse a lot of signing functions that you might find in a library (IE: Django's https://docs.djangoproject.com/en/dev/topics/signing/), don't roll your own. Then, keep track of last login IP address and block auto-logins when they mismatch. Then, set a max age for the login links to work (for example, 24 hours). There are a few other things we do as well, but those are the major ones.
Those three combined are fairly secure.