"like 15 minutes from the login attempt, and randomly generate a string for the token itself. Send a link to the user, when they click it, find them by the token, and log them in."
Many common greylisting schemes will delay for 15 minutes or more.
Don't (ab)use email for something it was never designed for: instant delivery of a token. email will get the message through eventually - that is what it is designed to do but nowadays it has to run through of a lot of filtering and you are asking people to have squeaky clean SPF/DKIM and probably DMARC and also have to consider DNSSEC and lots of other things.
email is still bloody good for message delivery but you are asking for administrators of an auth/auth system to become email sysadmins.
