Envello
Tutorial

Password reset emails: what actually needs to be in them

Envello Team·2026-07-17·4 min read

A password reset email gets more scrutiny than almost any other transactional message, both from the user (are they expecting it?) and from mailbox providers (it's a common phishing target, so filters watch this category closely). The actual requirements are short.

What actually matters

  • A time-limited link, not a permanent one. Expire it, typically within an hour, and say so in the email
  • Never include the user's actual password, current or new, in the email body, even partially
  • A clear, recognizable from address and subject line, since this is exactly the kind of email a phishing attempt mimics, and an unfamiliar sender pattern trains users to distrust legitimate ones
  • A note that says what to do if the user didn't request this, since a reset request they didn't make is a signal worth surfacing to them

What's decoration, not a requirement

Elaborate branding, marketing content, or unrelated account information don't belong in this email. It's a single-purpose, high-trust message. The more it looks like every other marketing email your product sends, the harder it is for a user to distinguish it from an actual phishing attempt spoofing your brand.

The deliverability angle

Password reset emails are pure transactional mail, sent one-to-one, time-sensitive, and expected by the recipient. They should never be batched with marketing content or sent through a bulk-marketing path, both because it's the wrong tool (marketing tools optimize for throughput, not per-message latency) and because mixing transactional and marketing traffic on the same sending reputation is exactly the pattern that gets flagged by spam filters.

Envello

EU-hosted transactional email, done right by default.