Please display the actual destination of every link directly at the link (e.g. above or beside the link text), not only on hover or long-press, and visually flag the destination in red when the destination's host does not match the hostname named in the visible link text.
Generic call-to-action text names no hostname, so there is simply nothing to mismatch there; the value is that the real destination is still shown in plain sight.
This closes the link-text-mismatch gap that authenticated phishing exploits — e.g. the Jan 2026 SendGrid campaign, whose mail passed SPF/DKIM/DMARC yet pointed "Manage preferences" at a credential-harvesting page.
Ideally offer a graduated policy (full URL / domain-only / external-links-only) so the UX cost is configurable.
A free, open-source reference implementation exists — Reveal URLs (https://www.reveal-urls.eu/, source https://codeberg.org/magentron/reveal-urls) — and the full rationale, trade-offs and alternatives are documented at:
https://www.phpfreelance.co.uk/blog/email-link-phishing-your-app-should-always-show-the-url.html