Authenticating a user directly from an email, while being a very interesting feature from a user experience point of view, needs to be implemented with care and balance from the point of view of system security.
I will present some approaches, which include some things that the other answers have already spoken.
Concern about Security
As @Zuul mentioned, email link authentication is a major security issue. This includes two main reasons:
Link-based authentication is easy to intercept. The URLs that you access are stored in logs and can be traced in various ways. There are several ways for a person to have access to the link and impersonate you. On the other hand, user authentication and password on forms, when used on a secure connection, are not stored and can not be viewed by a third party monitoring traffic between client and server.
Emails can be responded to and forwarded by mistakenly displaying the restricted link to third parties.
Even so, we can think of ways to improve the user experience with direct links without compromising security.
Login with redirect
The safest and easiest way to experience the user is to have the email link point to a page that performs the following:
Verify that the user is logged in. If the user is authenticated he will have a cookie or something that will identify him, right?
2.1. If there is authentication, simply redirect the request to the email link.
2.2 If the user is not authenticated, the system displays the login page. After the user's login, the system should then redirect it to the email link.
In this approach, the original link can be stored in the URL itself. Examples:
In this way after login you can find out which screen the user should be redirected to.
The approach with authentication causes the user to authenticate. However, the login can be kept for longer than the current browser session. For example, Evernote has a login option to "remind the user for a week". This means that the user would not have to authenticate for a week. Note that this is only feasible for private computers.
Login with token single
This is the approach mentioned by the @ gerep user. The idea is to generate a single token per link so that no one can guess it and then invalidate the token after its use.
The problem with this approach is that the user will certainly try to repeat the same action some time later and will have access denied. This is good from a security point of view, but a bad experience for the user.
Limited login with token
Another alternative that some sites like LinkedIn use is to generate a token that is not invalidated, however, it gives only restricted access to the system.
In the case in question, the token can only give access to the e-mail screen. Or maybe screens that are just data viewing.
If the user tries to access some action or edit in the system, then the complete login would be required.
Considerations
Finally, define the level of security and, depending on the system, you can use a mixed set of approaches.