How to Test Password-Reset Emails

Password-reset email is an account-recovery control, so testing it requires more than confirming that a link arrives. The safest implementations minimise information leakage and make reset tokens short-lived and single-use.

Developer testing8 min readReviewed 14 July 2026

Test the request screen

Submit registered and unregistered addresses and confirm that the visible response is substantially the same. This reduces account enumeration. Rate-limit repeated requests and avoid exposing internal errors or database details.

Inspect the message

Confirm that the sender identity is expected, the purpose is clear, and the link uses HTTPS on the correct domain. Avoid including passwords or unnecessary personal information. Provide a safe instruction for users who did not request the reset.

Exercise the token

A token should expire, work only once and become invalid after the password changes. Test modified, truncated, reused and cross-account tokens. Check that old sessions are handled according to the product’s security policy.

Protect test inboxes

Use only synthetic accounts with disposable inboxes. Never test the recovery of a real account through a public mailbox. Record expected behavior in an automated security regression suite using an authenticated mail-testing environment.

Quick checklist

  • Prevent account enumeration
  • Require HTTPS reset links
  • Expire and invalidate tokens
  • Test only synthetic accounts

Remember: Mailvator inboxes are public and temporary. Never use them for confidential information, financial services or long-term account recovery.