With the launch of Postmark Templates, we Open Sourced three transactional email templates that are free to use and included in Postmark by default. While the templates may look concise and simple, a lot of research went into each one. Instead of just giving you a nice design, we wanted to deliver templates that would address design, coding, usability, security, and even the best copy to make them effective.
Every time you start to code a new web app, you have to create and write several emails, such as the password reset. This can be a hassle and a pain. As a developer, your priority is crafting features and experiences that benefit your users. It’s important to have a password reset system in place, but it’s not something you want to spend much time on.
Luckily, you no longer have to with our pre-built templates. I’d like to cover the research and concepts behind our first template, the Password Reset email.
What makes a good password reset email?
Based on our research, we created some basic guidelines for good password reset emails:
Have a clear From name that uses the product’s name and a clear Subject line that says the email is for resetting a user’s password.
Greet the user by name (or username) to build trust and identify which account the reset is for.
Keep the content clear and concise, with the password reset link on its own line or as a larger button.
Provide some peace of mind if the user did not request a password reset. This can be done by saying they can ignore the email or contact support.
Make sure the reply-to address goes to a real person or support address.
Set an expiration time for the password reset link to prevent abuse.
Never, ever send a password in plain text.
The Research
In order to really create a template that was clear, effective, and secure we researched password reset emails from companies we respect. These emails became the backbone of our template. Below you can see what we liked and what we would improve in each one.
Stripe
Clear subject line
Identify who the password reset is for
Clear call to action
Reassuring statement if password reset wasn’t intended
Reply-to goes to a real person or support address
For security, the password reset link expires after a certain period of time
KickoffLabs
Clear subject line
Identify who the password reset is for
Clear call to action
Reassuring statement if password reset wasn’t intended
Reply-to goes to a real person or support address
For security, the password reset link expires after a certain period of time
Buffer
Clear subject line
Identify who the password reset is for
Clear call to action
Reassuring statement if password reset wasn’t intended
Reply-to goes to a real person or support address
For security, the password reset link expires after a certain period of time
Wistia
Clear subject line
Identify who the password reset is for
Clear call to action
Reassuring statement if password reset wasn’t intended
Reply-to goes to a real person or support address
For security, the password reset link expires after a certain period of time
Airbnb
Clear subject line
Identify who the password reset is for
Clear call to action
Reassuring statement if password reset wasn’t intended
Reply-to goes to a real person or support address
For security, the password reset link expires after a certain period of time
Zapier
Clear subject line
Identify who the password reset is for
Clear call to action
Reassuring statement if password reset wasn’t intended
Reply-to goes to a real person or support address
For security, the password reset link expires after a certain period of time
A disastrous password email
This is an account welcome email. Despite that fact, it’s still a fine example of what not to do in password reset emails. The email’s subject and greeting are good, yet it sends my account’s password in plain text. When I first received this email, I was surprised to see it handled security so poorly. After all, it’s 2015 and businesses should know better. Never send users a password in plain text because it’s a huge security vulnerability.
What do you think of Postmark Password Reset Template? Are there any improvements we could make? If so, please let us know in the comments or send a pull request!