How to write a great password reset email

If you run a business that has an application or website, one type of transactional email that you inevitably send is password reset emails. It’s also one of the most common types of transactional emails sent.

What is a password reset email and its importance?

A password reset email is triggered when your user has for some reason clicked on the "forgot password" button in your app or site's login page. The email often contains a link or OTP to reset the password for the account without having to enter the old password.

The importance of getting the content and design of these emails right is multifold. Being extremely common, password reset emails are a frequent form of communication from you to your users. Crafting a good password reset email that provides a good customer experience and delivers them well is crucial to retaining the trust of your customers.

Secondly, a password is sensitive data, and an email that allows users to reset their password and regain control of their account should be handled with the utmost security in mind. This combination of user experience and security makes password reset emails very important.

What should a password reset email achieve?

There are two scenarios that could play out in the case of a password reset email.

1. The email was triggered by the user. This is the ideal and more common scenario where the email is a genuine attempt by the user trying to reset their password. In this case, the email should be crafted with the goal of communicating all of the information required for the process, such as account details, reset links, expiration duration, and help with the steps.

2. The email was NOT triggered by the user. If the email isn’t triggered by the user and might be a breach, the email should clearly state the account details, ways to reach out to you, and steps to take to secure the account.

The content of every password reset email should address both of these scenarios to cover all possibilities.

How to write a good password reset email

When it comes to password reset emails, best practices can be classified into two groups. There are best practices to ensure a good customer experience, and then there are important things to follow to ensure the security of the customer's account and data. Here are some of the things to remember while crafting a password reset email.

Best practices for a positive customer experience

1. Write a clear “From” and subject line

 Password reset emails are critical emails. The From name or address along with the subject line of the email should be extremely clear in communicating the purpose of the email. It should also make it easy for the user to pick out the email in their inbox quickly.

2. Give the link center stage

 The first thing that the user is going to look for in the email is the link that allows them to reset their password. It’s best to give it upfront and make it evident in the design. If the URL is too long to be presented well, use a CTA button or another appropriate design element with a hypertext reference to the link.

3. Ensure good inbox placement

 Asking your customers to look for an important email like a password reset email in the spam inbox is a red flag for any business and makes for a bad customer experience. It could make your business come across as being unprofessional.

If the email wasn’t triggered by the user and it ends up in the spam folder, the user could miss out on precious time in securing their account. So ensure that you take all of the steps needed to improve email deliverability so that your emails reach the customer’s inbox reliably.

4. Deliver the email without any delay

Password reset emails are extremely time-sensitive for two reasons: the user needs access to their account, and the link has an expiry duration. Similar to bad inbox placement, delivering password reset emails late can make customers lose trust in your business. Ensure that you pick an email provider that can guarantee you delivery without any delay, every single time.

5. Get straight to the point

When drafting the content for the email, keep it short and simple. Highlight the must-have information without overwhelming the user with information. The design of the email should also be simple. The focus should be on the content instead of design elements.

6. Include the customer’s account details

To clear up any confusion about which account the email is triggered for, include the username, associated email address, or any other unique identification in the email for the user's reference. For example, the email can say, "The password reset link for your account with username 'harry.p' has been requested."

7. Give them a way to contact support

Password resets should ideally be done within minutes through the email, but that isn't always the case. The users could have forgotten important information required for the reset, or there could be issues with the link they’ve received. Whatever the reason, it’s important to mention the ways in which users can reach out to your customer support.

8. Give clear instructions

The password reset process for each product or service might be different. While it’s a common process that your user isn’t unfamiliar with, there might be specifics in your process that they’re not used to. It’s best to give them clear instructions on what steps to follow or expect in the process.

9. Explain why the email was sent

While in most cases the user would have initiated the process, it’s good practice to explain why they’ve received the email. Simple content at the very beginning of the email along the lines of "We’ve received your request to reset the password on your account. Here's the reset link." will help set the context and expectation.

10. Have a single CTA

As previously established, the password reset link is the most important element in the email content and design. To give it prominence and to ensure that users aren't confused, make sure that the link is the only CTA in the email. Having multiple CTAs could dilute the importance and overwhelm the users.

11. Avoid marketing content

Password reset emails are purely transactional. It’s ideal to let it be that way instead of trying to include marketing content. It might be tempting to promote your service because password reset emails have a high open rate, but adding marketing content could overshadow the primary purpose. In recent times, spam filters also take into consideration the type of content in emails, so adding marketing content to these emails could cause them to be flagged as spam.

12. Create a design to be aligned with your brand

Although password reset emails are relatively simple and don’t require numerous elements, the design of the email should be in line with your brand’s personality. It should be easily recognizable as your brand. Adding your logo and brand name, or any other element specific to your brand, will help with this.

13. Include a plain-text version

Password reset email is a critical email and needs to be accessible in all scenarios. Including a plain-text version will help users access the data in the email even if the rich text or HTML version isn’t available. Including a plain text version will also boost your chances of good deliverability.

14. Test your emails

Your users are bound to access these emails from multiple devices. Test your emails to see if all of the links and elements in the email work on different devices, email clients, and browsers. This will help make data accessible to your users at all times.

15. Avoid using no-reply email addresses

While no-reply email addresses are easier to manage, it’s best to avoid them because they disrupt two-way communication, could impact deliverability, and make for a bad experience, among other things. Use a business email address with your company domain to send these emails.

Best practices for security

1. Set a reasonable expiration time

Password reset email is a means to recover control of the user's account. It’s of utmost importance to take security measures to keep the data secure. The expiry link provided in the email should only be available for a short period of time. Setting an expiration time will help mitigate any unauthorized parties gaining access. The general recommended timeframe for the expiration is anywhere between 10 minutes and 24 hours, depending on how critical the account is.

2. Never send passwords in an email

If there's only one thing you follow from this list, it should be this. Never send a password as plain text in a password reset email. Always include a link or code as an added layer of security to ensure that the password is not intercepted by anyone other than your user.

3. Give details about who requested it

As a precaution and additional security, you can include technical details about who requested the password reset. It could be an IP address, device details, browser, and more. This will help retrace the request in cases where the email wasn’t triggered by the user.

4. Provide steps to take if the reset email wasn’t requested by the user

The email should prepare the user to act quickly in case the email wasn’t requested by them. Without overloading them with information, provide the steps that they must take to ensure that the breach is stopped.

5. Make sure it doesn’t look like a phishing email

Bad formatting, broken links, and unprofessional content, among other things, can make your email look like a phishing email. It could lead to your user marking your email as spam or, worse, ignore the email instead of taking security measures against an attack. Ensure that your email looks professional and reflects your brand well.

6. Get BIMI for your emails

With BIMI, your brand's logo is displayed next to your emails in the customers' inbox. This helps your users identify your important emails and, in turn, identify emails that are trying to spoof you. It will be an extra layer of authentication for your emails.

7. Ensure the security of the server/domain

To prevent interception or misuse of the information in the password reset email, ensure that the SMTP server used to send the email is secure with all of the required protocols in place. Ensure that the encryptions used are updated. Also, verify that all of the DNS records are added to the domain you're using to send the emails.

Password reset templates in Zoho ZeptoMail

Keeping all of these best practices in mind, we’ve built templates for password reset emails in Zoho ZeptoMail. You can use these pre-built emails, make changes to them, or create them from scratch. These templates will help you hit the ground running.

Besides the templates, ZeptoMail has all of the necessary security measures in place, such as mandatory DNS verifications, advanced encryptions, TFA, and other security measures in place to ensure the security of your emails.