Password reset email template: Design and best practices

Editor’s note: We recently released and wrote an all new guide that dives deep into modern password reset email best practices.


With the launch of Postmark Templates, we Open Sourced three transactional email templates that are free to use and included in Postmark by default. While the templates may look concise and simple, a lot of research went into each one. Instead of just giving you a nice design, we wanted to deliver templates that would address design, coding, usability, security, and even the best copy to make them effective.

Every time you start to code a new web app, you have to create and write several emails, such as the password reset. This can be a hassle and a pain. As a developer, your priority is crafting features and experiences that benefit your users. It’s important to have a password reset system in place, but it’s not something you want to spend much time on.

Luckily, you no longer have to with our pre-built templates. I’d like to cover the research and concepts behind our first template, the Password Reset email.

An screenshot of the new password reset template available in Postmark.

What makes a good password reset email? #

Based on our research, we created some basic guidelines for good password reset emails:

  • Have a clear From name that uses the product’s name and a clear Subject line that says the email is for resetting a user’s password.
  • Greet the user by name (or username) to build trust and identify which account the reset is for.
  • Keep the content clear and concise, with the password reset link on its own line or as a larger button.
  • Provide some peace of mind if the user did not request a password reset. This can be done by saying they can ignore the email or contact support.
  • Make sure the reply-to address goes to a real person or support address.
  • Set an expiration time for the password reset link to prevent abuse.
  • Never, ever send a password in plain text.

The Research #

In order to really create a template that was clear, effective, and secure we researched password reset emails from companies we respect. These emails became the backbone of our template. Below you can see what we liked and what we would improve in each one.

Stripe #

A screenshot of the Stripe password reset email.
  • + Clear subject line
  • + Identify who the password reset is for
  • + Clear call to action
  • + Reassuring statement if password reset wasn’t intended
  • + Reply-to goes to a real person or support address
  •  For security, the password reset link expires after a certain period of time

KickoffLabs #

A screenshot of the KickoffLabs password reset email.
  • + Clear subject line
  •  Identify who the password reset is for
  •  Clear call to action
  • + Reassuring statement if password reset wasn’t intended
  • + Reply-to goes to a real person or support address
  • - For security, the password reset link expires after a certain period of time

Buffer #

A screenshot of the Buffer password reset email.
  • + Clear subject line
  •  Identify who the password reset is for
  • + Clear call to action
  • + Reassuring statement if password reset wasn’t intended
  • + Reply-to goes to a real person or support address
  •  For security, the password reset link expires after a certain period of time

Wistia #

A screenshot of the Wistia password reset email.
  • + Clear subject line
  •  Identify who the password reset is for
  • + Clear call to action
  • + Reassuring statement if password reset wasn’t intended
  • + Reply-to goes to a real person or support address
  •  For security, the password reset link expires after a certain period of time

Airbnb #

A screenshot of the AirBnB password reset email.
  • + Clear subject line
  • + Identify who the password reset is for
  • + Clear call to action
  • + Reassuring statement if password reset wasn’t intended
  • Reply-to goes to a real person or support address
  •  For security, the password reset link expires after a certain period of time

Zapier #

A screenshot of the Zapier password reset email.
  • + Clear subject line
  • + Identify who the password reset is for
  • + Clear call to action
  • + Reassuring statement if password reset wasn’t intended
  • + Reply-to goes to a real person or support address
  • + For security, the password reset link expires after a certain period of time

A disastrous password email #

A screenshot of the a password reset email that includes a plain-text password.

This is an account welcome email. Despite that fact, it’s still a fine example of what not to do in password reset emails. The email’s subject and greeting are good, yet it sends my account’s password in plain text. When I first received this email, I was surprised to see it handled security so poorly. After all, it’s 2015 and businesses should know better. Never send users a password in plain text because it’s a huge security vulnerability.