In this case you set the anti-phishing code in your account settings (arbitrary string). Then they include it in all email comms (in the top right of the email body). So if you get an email from what looks like "Crypto.com", but with a different anti-phishing code - then you can be certain that it's phishing.
Oh, it's just for email. That makes sense. Seems pretty weak since it relies on the user noticing the absence of a security feature.
I'd probably prefer the emails have no links and train people to never click from an email. Make them log in the same way they usually do to take any actions.
