Password reset emails are the most time-sensitive transactional emails you send. A user who clicks "Forgot Password" is locked out of your product and wants back in immediately. Every second of delay, every confusing instruction, and every email that lands in spam is a user who might never come back.

Yet password reset emails are also a prime target for phishing attacks, which means they need to balance speed and simplicity with security. The best password reset emails arrive instantly, make the reset action obvious, and include clear security guidance — all without looking like the phishing emails they need to differ from.

Password Reset Email Templates

Standard Password Reset

Subject: Reset your [Product] password

Hi Sarah,

We received a request to reset the password for your [Product] account associated with sarah@company.com.

[Reset My Password] ← button

This link expires in 1 hour. After that, you'll need to request a new password reset.

Can't click the button? Copy this link: https://app.example.com/reset-password?token=abc123def456

Didn't request this? You can safely ignore this email. Your password won't be changed unless you click the link above. If you're concerned about your account security, you can review recent activity at https://app.example.com/settings/security

The [Product] Team

Password Reset with Security Context

Subject: Password reset request for your [Product] account

Hi Alex,

Someone requested a password reset for your account. Here are the details:

Request details:

Account: alex@company.com

Requested at: March 6, 2026 at 3:42 PM EST

From: Chrome browser, Portland, OR, United States

If this was you, click the button below to set a new password:

[Reset Password] ← button

This link expires in 1 hour and can only be used once.

If this wasn't you: Someone may have your email address but doesn't have access to your account. No action is needed — your password remains unchanged. However, if you receive multiple unexpected reset requests, contact our security team at security@example.com.

Security tips:

Never share your password or this reset link with anyone

[Product] will never ask for your password via email

Use a strong, unique password (at least 12 characters)

Consider enabling two-factor authentication

The [Product] Security Team

Password Reset Confirmation

Subject: Your [Product] password has been changed

Hi Sarah,

Your password was successfully changed.

Details:

Account: sarah@company.com

Changed at: March 6, 2026 at 3:55 PM EST

From: Chrome browser, Portland, OR, United States

You can now sign in with your new password.

[Sign In] ← button

Didn't change your password? Your account may have been compromised. Take these steps immediately:

Reset your password again

Review your account activity

Enable two-factor authentication

Contact our security team: security@example.com

The [Product] Security Team

Password Reset for Mobile Apps

Subject: Your password reset code: 847291

Hi Jamie,

Use this code to reset your [Product] password:

847291

Enter this code in the app to set a new password.

This code:

Expires in 15 minutes

Can only be used once

Or reset via web browser: If you prefer, click this link to reset your password in your browser:

[Reset Password in Browser] ← button

Didn't request this? Ignore this email — your password won't be changed.

The [Product] Team

Password Reset — Account Not Found

Subject: Password reset attempt — no account found

Hi,

We received a password reset request for this email address, but we don't have an account associated with it.

Possible reasons:

You may have signed up with a different email address

Your account may have been deleted

Someone may have entered your email by mistake

If you have a [Product] account: Try requesting a password reset with other email addresses you may have used to sign up.

If you don't have an account: You can create one at https://app.example.com/signup

Why are we sending this? We send this notification for security purposes — to let you know someone attempted to use your email address. No account information was disclosed and no action is needed.

The [Product] Team

Forced Password Reset (Security Breach)

Subject: [Action Required] Your [Product] password has been reset for security

Hi Sarah,

We're writing to let you know that we've reset your [Product] password as a precautionary security measure.

What happened: During a routine security review, we identified that your password may have been exposed in a third-party data breach (not a breach of [Product] systems). To protect your account, we've proactively reset your password.

What to do now:

[Set a New Password] ← button

When setting your new password:

Use a password you haven't used on any other website

Make it at least 12 characters with a mix of letters, numbers, and symbols

Consider using a password manager like 1Password or Bitwarden

Enable two-factor authentication for added security

Your data is safe:

No unauthorized access to your [Product] account was detected

This reset is a precautionary measure based on third-party breach data

Your [Product] data, settings, and content are unaffected

This link expires in 24 hours. If it expires, request a new reset from the login page.

If you have questions, contact our security team at security@example.com

The [Product] Security Team

Admin-Initiated Password Reset

Subject: Your [Product] password has been reset by your admin

Hi Tom,

Your team administrator has reset your [Product] password. You'll need to set a new one to continue using your account.

[Set New Password] ← button

Details:

Account: tom@company.com

Reset by: admin@company.com

Date: March 6, 2026 at 10:15 AM EST

This link expires in 24 hours.

If you have questions about why your password was reset, please contact your team administrator.

The [Product] Team

Password Reset Subject Lines

Standard resets:

"Reset your [Product] password"
"Password reset request for your account"
"Your password reset link — expires in 1 hour"

Code-based resets:

"Your password reset code: 847291"
"[Product] password reset code: 847291"

Security-related:

"[Action Required] Your password has been reset for security"
"Your [Product] password was changed"
"Important: Password reset required for your account"

Keep subject lines clear and functional. Avoid creative copy that might look like phishing. "Reset your [Product] password" is better than "Oops! Looks like you forgot something."

Best Practices for Password Reset Emails

Deliver within seconds

Password reset emails should arrive within 3-5 seconds. Users are waiting on a "check your email" screen and will become frustrated after 30 seconds. If your reset emails take minutes to arrive, fix your email infrastructure before anything else.

Use short expiration times

Reset links should expire in 1-4 hours. Codes should expire in 10-15 minutes. Short expiration windows limit the attack surface if the email is intercepted. Always tell the user how long they have and how to get a new link if it expires.

Make single-use tokens

Every reset link or code should work exactly once. After the user resets their password, the link should be invalidated immediately. This prevents the link from being used again if the email is later accessed by someone else.

Always include a plain-text link

Button rendering varies across email clients. Always include the full reset URL as plain text so users can copy/paste it if the button doesn't work.

Send a confirmation after reset

After a password is successfully changed, send a confirmation email to the user's email address. This serves as an audit trail and alerts the user if someone else changed their password.

Handle "account not found" securely

Don't tell attackers whether an email address has an account. Instead of showing "no account found" on the reset page, always show "If an account exists with this email, we'll send a reset link." Then send a polite "no account found" email so the actual user knows what happened.

Don't include the old or new password

Never include any password information in emails. The email should only contain the reset link or code. Passwords should only be entered on your secure reset page.

Use a recognizable sender

Send from a consistent, recognizable address (e.g., security@yourproduct.com or no-reply@yourproduct.com). Unfamiliar sender addresses make users suspicious that the email is phishing.

Avoid looking like phishing

Legitimate password reset emails and phishing emails look very similar. Differentiate yours by using your brand's design, sending from a verified domain, including the user's name, and never asking for sensitive information in the email itself.

Password reset emails sit at the intersection of security and user experience — get them right, and you protect accounts while keeping users happy. For sending instant, reliable password reset emails, Sequenzy's transactional email API delivers reset emails in milliseconds with enterprise-grade security and deliverability.