Hey!
This is an issue we face on WhatDoTheyKnow too, and we're starting to keep track [1] when we spot them. We've started calling authorities out for refusing emailed requests (illegal in UK) [2] and these response links are quite high on our radar for similar campaigning.
FragDenStaat also have a similar issue [3], which they solved by writing some code to handle these automatically.
Alaveteli does have a workflow for authorities wanting to respond by post, and we've been thinking that this ought to get updated to reflect a more general set of off-site responses [4] such as this.
We really try to avoid exposing the request email in Alaveteli to be confident only the authority can respond, and to prevent spam bots getting hold of it and sending junk to requests.
The authority should receive the unique email address in the From header of the email – there's no need to include it in the body of the email sent to them.
> To continue keeping the request email address hidden, it seems that the best way would be simply to include it in the notification email sent at the request creation.
Including it in the footer of notifications to users is probably the safest place to add it, as we do try to automatically redact request emails when they appear on the site.
Alternatively we could add a link in the Actions menu, as you suggested in your initial private email to us. We'd want that action to only be available to the requester though, rather than any logged in user, so yeah, there would be some more work in patching that in.
Hope that helps.
Best,