Blog/Guide

Designing Password Reset Emails That Actually Get Used

Reset mail is the most expected transactional message you send. It is also the one users are trained to be suspicious of. That combination is the whole design brief.

Content Rules

  • Say who it is from in the first line. Not just in the From header. “Someone requested a password reset for your Acme account.” Users read plain text before they trust branding.
  • State what happens if it was not them. “If this was not you, ignore this email and your password will not change.” Reduces panic and support load.
  • Show the expiry. “This link expires in 15 minutes.” Concrete numbers reduce retries.
  • Include the requesting IP or approximate location, with the caveat that IP geolocation is fuzzy. Users spot wrong-country resets fast.
  • One primary action. A single button or a single code. Multiple links create phishing suspicion.

Security Patterns That Match The Content

  1. Do not leak account existence. The response to “forgot password” is the same whether or not the email is registered: “if this address has an account, a reset link is on its way.” Silent no-op if it does not.
  2. Single-use, short-lived tokens. 15 minutes is a reasonable ceiling. Invalidate on use, invalidate all outstanding tokens when the password is changed.
  3. Bind the token to the initiating session when possible, so a corporate link scanner cannot pre-fetch and burn it.
  4. Rate-limit generation per account and per IP. A user who requests ten resets in a minute is either being attacked or has a broken client.
  5. Notify on completion. After a successful change, send a second email confirming it, from the same sending domain. This is the message that catches account takeovers.

Deliverability Notes Specific To Resets

  • Reset mail must arrive in seconds. Send it through a transactional pipe that is not sharing reputation with any marketing traffic.
  • Use a sending subdomain that matches the app the user just clicked from (mail.acme.com for an Acme reset). Cross-domain sending is a phishing signal.
  • Include a plain-text alternative. Some corporate mail clients strip HTML aggressively.
  • Keep the subject line specific and boring: “Reset your Acme password.” Clever subjects are the ones that get flagged.

What Not To Include

  • The user's current password. Never. Not hashed, not partial, not “for verification.”
  • Marketing footer content. Every extra link is a chance to look like phishing.
  • Tracking pixels or link rewriting through a third-party redirect domain. Users hover, and a redirect they do not recognize is the moment they file a spam complaint.

Send transactional email that lands.

MailRoundup is a transactional-only pipe for receipts, confirmations, password resets, and alerts. One endpoint, honest logs, no marketing traffic in the way.