SSL will protect the query parameters in transit; however, email itself is not secure, and the email could bounce along any number of servers before getting to its destination.
Also depending on your web server the full URL might get logged in its log files. Depending on how sensitive the data is you might not want your IT people having access to all the tokens.
Additionally the URL with the query string would be saved in your user’s history, allowing other users of the same machine to access the URL.
Finally and what makes this very insecure is, the URL is sent in the Referer header of all requests for any resource, even third party resources. So if you’re using Google Analytics for example, you will send Google the URL token in and all to them.
In my opinion this is a bad idea.