If the attacker's search space for YOURBESTGUESSHERE
is large enough, brute force becomes infeasible. Use {a code derived from {email address plus timestamp} (which may have arbitrary other stuff, such as a random nonce, incorporated)} fed through a known-good implementation of a known-good one-way hash function.
Ensure the code is only good for a short time (a couple of days, perhaps) after it's used.
Don't leak information when the code is presented - the real user of the code knows what email address it applies to, and nobody else needs to.