If you are using email verification, you can check this user state within your own app. (So, don't allow the attacker to access anything until their email address has been verified.)
In version 1.27.0 you can configure a gated login flow when the user is not verified (this is a 'reactor' feature requiring a paid license). This will enforce email verification before we even redirect to your app. You can then also configure FusionAuth to delete users after N number of days if the user has not verified their email address. This can assist with build up of accounts that are not actually in use.
It looks like the issue was our mail server. We are using Mailgun SMTP service for our mail sending and this offers a tracking feature.
This tracking feature adds a invisible image to the html code in order to get request for stats. If I deactivate this feature, the HTML_IMAGE_ONLY_12 error is gone and the mail are no longer marked as SPAM. We don't have any issues with our other applications because sent emails are bigger in text content.