What Makes a Password Reset Email Great?

Are you crafting a new password reset email or updating an existing message? Before you begin designing your content or download a template, read this post. We have gathered information on what to do, what to avoid, and what you can learn from emails from several well-known companies. The best practices, reviewed examples, and recommendations will help you to quickly and easily create an efficient password reset email template.

The most important things to remember

The reset password message is a part of a corresponding workflow, which should be thoroughly designed and tested.  

First and foremost is user security. Password management is about users’ data and access to third-party services. The workflow you build must prevent all possibility of a data breach.

Security rules

  1. Never send passwords via email. This is true for all types of messages, not only for changing passwords. We are pretty sure that one day you have received a welcome message or a password reset confirmation displaying your username and password in plain text. That is the worst possible practice.
  2. Limit the time of a reset password link validity. There is no standard for the password reset expiration time. The general recommendation is from 20 minutes to one hour for financial, critical, social, and messaging apps. For most apps we have inspected, such a link is valid for 24 hours.
  3. Give your users information about what to do if they received a password change message that they haven’t requested. It is common to ignore such a message. But for extra security, it might be good to recommend that users change their password or contact support.
  4. Take care of the security and reputation of the SMTP server/domain you use for sending emails. Use proper encryption methods and set up DMARC, DKIM, and SPF records. Refer to the series of articles on the SMTP security on our blog for more details. 

Usability rules

Once the whole process is secure,focus on creating an optimal user experience. Reflect on your own experiences when you have been in the middle of sending a message or reviewing the details of a booking, and you needed to recover a password. In that moment, you wanted the process to be as quick as possible, didn’t you? Here are some tips that can help:

  1. Make sure your email template is straightforward. It should be obvious to the user that the password reset email comes from your app. So, write a clear email subject line like: “YouApp: Reset your password”. This is not the place for creativity. Provide clear, comprehensive instructions for the steps a user needs to take to regain  access to your app.
  2. Keep your message simple. Don’t fill it with marketing elements and extra links. Include only important instructions written in a brief, friendly text, along with a button to click, as well as a link – and that’s all.
  3. Maintain a balance between security and simplicity. Don’t include too many steps or too many rules in the reset password process.
  4. Test to make sure the workflow works, that emails are sent, and that they are displayed as designed. Follow the rules of coding an HTML email template
  5. Test email deliverability, and do your best to prevent emails from going to spam. Those moments of waiting for password reset emails to arrive are especially long.

These are the main recommendations to follow when establishing a reset password workflow. Now let’s go into detail and review several reset password emails sent by popular companies.

What to include in the reset password communication

Let’s imagine a situation where you are trying to access an app. You enter your username (in most cases, it is your email address) and password, but you are not allowed to log in. You see an error message “Invalid login or password” or “This combination of username and password is not recognized”. It is a good practice because if someone tries to discover whether the exact username exists on this service, they won’t be able to get this information. Conversely, “the password is incorrect” message confirms that the user with this username exists. 

Your next step is to press the “forgot your password” link. You should enter your email address and see the following message (as an example): 

“The email with further instructions was sent to the submitted email address. If you don’t receive a message in 5 minutes, check the junk folder. If you are still experiencing any problems, contact support at support@domain.com” 

If everything works fine, you should receive a message with further instructions. 

Rules of a great reset password email

What it should include: 

  1. Concise and meaningful headers. Send emails from your app’s domain, which users can easily recognize and trust. The “from” name and email address should also meet these rules: “contact”, “info”, etc. is a bad example. The subject line should be short and clear as well: “YourApp: reset your password” is a good one. 
  2. Both HTML and text versions: if for any reason the email content was not properly rendered, the recipient still has to be able to understand your instructions. Add a copyable reset password link
  3. Username. Your users should immediately understand that this message is associated with their account. 
  4. Easy to understand instructions on how to reset the password (if they requested it).
    1. Quick description of the situation (for example, “you or someone requested to reset the password for your account at ourapp.com).
    2. Nice button linked to the reset password page. Don’t forget about the link validity period – if it’s limited (and should be), your users should be clearly informed about it. 
    3. If any other actions are required, describe them too.
  5. Instructions on what to do if the recipient hasn’t requested a password reset. Further actions can be: press the link to report abuse, contact support, or just ignore this message. For more safety, you can also recommend changing the password for this account. 
  6. Support contact details. 
  7. Clear design. The message should be strict but still associated with your brand. 

What not to do with password reset emails:

  1. Don’t send the password in plain text! This is valid for all kinds of emails. 
  2. Don’t include too much text. Don’t give the recipient a chance to get lost in numerous details. 
  3. Don’t include additional marketing information and/or links. The temptation of adding selling information is strong but don’t do this. Your users don’t want it now, they need to complete their goal: access your app. Don’t confuse them. 
  4. Don’t send emails from no-reply addresses. This increases the risk of going to spam and in addition, doesn’t build trust. 

Reset password email templates check-up

Let’s review several reset password emails from well-known companies. 

Trello password reset email screenshot on the Mailtrap blog

What is good:

  • the clear subject line and “from” header
  • simple and recognizable branding 
  • greeting by name 
  • concise content and instructions 
  • instructions on what to do if this user didn’t make this request

What could be improved:

  • the “from” email address (“do-not-reply”)
  • no expiration period for the reset password link
  • no copyable links 
  • missing support contact details 

Ryanair reset password email, screenshot on the Mailtrap blog

What is good:

  • the clear subject line and “from” name 
  • simple and recognizable branding 
  • greeting by name 
  • concise content and instructions 
  • copyable reset password link
  • expiration period for the password change link
  • instructions on what to do if this user didn’t make this request

What could be improved:

  • the “from” email address (“noreply”)
  • support contact details: there is a link to contact us page, though, but a direct email address or phone number is preferable

Booking.com reset password email, screenshot on the Mailtrap blog

What is good:

  • the clear subject line and “from” name 
  • simple and recognizable branding 
  • visible username and even the avatar
  • concise content and instructions 

What could be improved:

  • the “from” email address (“noreply”)
  • copyable reset password link
  • no expiration period for the password change link
  • no instructions on what to do if this user didn’t make this request 
  • support contact details: there is a link to the customer service page, though, but the direct email address or phone number is preferable

Zappos reset password email, screenshot on the Mailtrap blog

What is good:

  • the clear subject line and “from” name 
  • the “from” email address (“cs” most likely stands for the customer support)
  • recognizable branding 
  • instructions on what to do if this user didn’t make this request
  • support contact details 

What could be improved:

  • visible username: it is included but at the very end of the huge email template 
  • content and instructions are lost in the variety of pictures, links, and buttons
  • copyable reset password link
  • no expiration period for the password change link

Quora reset password email, screenshot on the Mailtrap blog

What is good:

  • the clear subject line and “from” name 
  • simple and recognizable branding 
  • greeting by name 
  • concise content and instructions 
  • copyable reset password link
  • instructions on what to do if this user didn’t make this request

What could be improved:

  • the “from” email address (“noreply”)
  • no expiration period for the password change link
  • no support contact details

Also, we should admit that each of the above emails was delivered in seconds after making the request on the corresponding website. Furthermore, none of them went to the spam folder. As you can see, some criteria of the perfect reset password template are quite often ignored. Mostly, the no-reply email addresses are used and no support contact details are provided. 

In the end, your task is to make a password reset a pleasant part of your users’ experience with your app, where their safety comes first. Don’t forget about the proper branding, add a touch of design, keep your template clear and simple, and thoroughly test it before releasing it. That’s it, folks!