What you are doing wrong is using nonce in a context it was not intended to be used in. nonces should be used on web pages for logged in users, not just a random “it has something to do with security so it has to be right” kind of measure ;).
If you need to validated the authenticity of the link you have sent, just use an md5 hash (or any other hash generator) based on whatever long term “secret” information you have on the user. At the best case, nonces “live” for 48 hours, while emails might be opened later then that.