Password reset email template: Design and best practices

Editor’s note: Have a look at our updated guide that dives deep into modern password reset email best practices.


When we first launched Postmark Templates back in 2015, we open-sourced three transactional email templates that are free to use and included in Postmark by default. We have since done a bunch more work on these, and now have a total of nine transaction email templates available for you to use — including a very popular reset password template.

While these templates may look concise and simple, a lot of research went into each one. Instead of just giving you a nice design, we wanted to deliver templates that would address design, coding, usability, security, and even the best copy to make them effective. In this post we'd like to give you an overview of how we developed the password reset email template, and how you can use it effectively in your application.

Every time you start to code a new web app, you have to create and code up several emails, such as the ubiquitous password reset. This can be a hassle and pain. As a developer, your priority is crafting features and experiences that benefit your users. It’s important to have a password reset system in place, but it’s not something you want to spend much time on. Let's look at some of the design and coding principles for your forgot password email.

A screenshot of the new password reset template available in Postmark

What makes a good password reset email? #

Based on our research, we have some basic guidelines for good password reset emails:

  • Have a clear From name that uses the product’s name and a clear Subject line that indicated that the email is for resetting a user’s password.
  • Greet the user by name (or username) to build trust and identify which account the password reset is for.
  • Keep the content clear and concise, with the password reset link on its own line or as a larger button.
  • Provide some peace of mind if the user did not request a password reset. This can be done by saying they can ignore the email or contact support.
  • Make sure the reply-to address goes to a real person or support address.
  • Clearly indicate when the password reset link will expire to prevent abuse.
  • Never, ever send a password in plain text.

A summary of our research #

In order to create a template that is clear, effective, and secure we researched password reset emails from companies we respect. These emails became the backbone of our template. Below you can see what we liked and what we would improve in each one.

Stripe #

A screenshot of the Stripe password reset email
  • Yes: Clear subject line
  • Yes: Identify who the password reset is for
  • Yes: Clear call to action
  • Yes: Reassuring statement if password reset wasn’t intended
  • Yes: Reply-to goes to a real person or support address
  • No: For security, the password reset link expires after a period of time

KickoffLabs #

A screenshot of the KickoffLabs password reset email
  • Yes: Clear subject line
  • No: Identify who the password reset is for
  • No: Clear call to action
  • Yes: Reassuring statement if password reset wasn’t intended
  • Yes: Reply-to goes to a real person or support address
  • No: For security, the password reset link expires after a period of time

Buffer #

A screenshot of the Buffer password reset email
  • Yes: Clear subject line
  • No: Identify who the password reset is for
  • Yes: Clear call to action
  • Yes: Reassuring statement if password reset wasn’t intended
  • Yes: Reply-to goes to a real person or support address
  • No: For security, the password reset link expires after a period of time

Wistia #

A screenshot of the Wistia password reset email.
  • Yes: Clear subject line
  • No: Identify who the password reset is for
  • Yes: Clear call to action
  • Yes: Reassuring statement if password reset wasn’t intended
  • Yes: Reply-to goes to a real person or support address
  • No: For security, the password reset link expires after a period of time

Airbnb #

A screenshot of the AirBnB password reset email
  • Yes: Clear subject line
  • Yes: Identify who the password reset is for
  • Yes: Clear call to action
  • Yes: Reassuring statement if password reset wasn’t intended
  • No: Reply-to goes to a real person or support address
  • No: For security, the password reset link expires after a period of time

Zapier #

A screenshot of the Zapier password reset email
  • Yes: Clear subject line
  • Yes: Identify who the password reset is for
  • Yes: Clear call to action
  • Yes: Reassuring statement if password reset wasn’t intended
  • Yes: Reply-to goes to a real person or support address
  • Yes: For security, the password reset link expires after a period of time

A disastrous password email #

A screenshot of the a password reset email that includes a plain-text password

This example shows a welcome email for a new account. Despite that fact, it’s still a fine example of what not to do in password reset emails. The email’s subject and greeting are good, yet it sends my account’s password in plain text. When we first saw this email we were surprised to see security handled so poorly. Businesses should know better. Never send users a password in plain text, because it’s a huge security vulnerability.

In summary #

Now that you have some guidelines on how to implement a good password reset email for your app, also be sure to check out our extensive transactional email design guides to help give your customers the best experience possible. 

Jack Kaufman

Join 28,000 subscribers and get monthly tips, product announcements, and expert interviews.