Security for Email verification/confirmation

If the attacker's search space for YOURBESTGUESSHERE is large enough, brute force becomes infeasible. Use {a code derived from {email address plus timestamp} (which may have arbitrary other stuff, such as a random nonce, incorporated)} fed through a known-good implementation of a known-good one-way hash function.

Ensure the code is only good for a short time (a couple of days, perhaps) after it's used.

Don't leak information when the code is presented - the real user of the code knows what email address it applies to, and nobody else needs to.

You can always increase security, if needed. Think of combining the link with a unique code. So when brute force allowed the to find a link, they still need to enter a random code from the email.

Suggestions like number of attempts would be one of the first I would implement, to avoid system issues (number of request) rather then security.