Some good info here on how to attack the problem. Personally this is the approach I take on our sites. Although we're mostly in a 2-4hour click to conversion market we still have smart shoppers that act like your customers.
My system basically works off of the sites already in place session management. When a new user arrives to the site they get a session #, basic information such as where the click came from, IP, agent, ...etc all logged. All of our PPC campaigns append a query string variable to the URL, &source=google, &source=ysm, Etc, so we can flag PPC sales in the DB. Really all we care about is where the first click came from not what happened in between so that is all we log. Once an order comes in I get a nice report showing me the order, amount, and where the sale originated from. Most of the time we can tie the sale back right there. My 2nd line of attack is done by IP. If the user leaves, loses session cookie, whatever, I can still dig up the original data by IP address. Email contact forms, like arieng said we include the session id in the contact form. If you insist on having an email link, use the mailto: format with subject line and append the SID there.
After all that we still get those mystery sales we can't match up. Many reasons still exist for this, shopping at work and purchasing at home. Simple dialup IP change day after day. Word of mouth to name a few.