Skip to main content

How Password Resets Work (6-Digit Codes & Deliverability)

Duncan from Memberstack
Duncan from Memberstack
  • Updated

⏱️ TL;DR

  • No More Reset Links: Memberstack has transitioned away from legacy password reset links. Members now receive a secure 6-digit verification code to reset their password directly on your site.
  • The Spam Gotcha: Because password reset emails are transactional, they are highly sensitive. If you are using Memberstack's default sender address, these emails may land in your users' Spam/Junk folders.
  • The Fix: Configure a Custom Sender Domain in your Memberstack settings to drastically improve deliverability and keep emails out of spam.
  • Security Feature: Memberstack always displays a success message when a user submits the forgot password form—even if the email address doesn't exist in your database. This prevents hackers from harvesting your members' email addresses.

1. The Member Experience: The 6-Digit Code Flow

When a member clicks "Forgot Password" on your site, they no longer receive an email with a link that redirects them to an external page. Instead, they complete the reset directly on your site using a secure verification code.

The Step-by-Step Flow:

  1. The member enters their email address into your Forgot Password form.
  2. Memberstack sends an email containing a 6-digit verification code (e.g., 482 915).
  3. If using the pre-built modal: The member is automatically prompted to enter the code.
  4. If using custom forms (e.g., Webflow): You must redirect them to a second page containing your Reset Password form.
    • Page 1 (Forgot Password): The form must have the attribute data-ms-form="forgot-password" and an email input with data-ms-member="email".
    • Page 2 (Reset Password): The form must have the attribute data-ms-form="reset-password". Inside this form, you must include an input for the 6-digit code with the attribute data-ms-member="token", and a password input with data-ms-member="password".
  5. Once the correct code is entered into the verification field, they can type their new password and log in immediately.

2. Customizing Your Password Reset Email

  1. By default, password reset emails requested by your members will look like this 👇 where the logo and brand color are pulled from your Dashboard's Image Settings and Design.   

Screen_Shot_2022-08-31_at_9.29.38_AM.jpg

  1. If you'd like to update the reply-to email address or the actual email copy, you can do so on the email setting page.  

Update From Address

  1. You can change the "from" email by following the steps in this article.

Screen_Shot_2022-08-31_at_9.33.02_AM.jpg

2. Crucial Deliverability: Preventing the "Spam Folder" Trap

Because password resets are triggered instantly on demand, email clients (like Gmail, Outlook, and Yahoo) inspect them closely.

  • The Problem: By default, Memberstack sends these emails from support@memberstack.com or a shared generic sender pool. Because hundreds of other sites use this same pool, email filters sometimes flag these automated messages as spam.
  • The Impact: Your members will write to support saying: "I clicked reset, but I never received the email!" (When in reality, it's sitting in their Junk folder).

🛠️ How to Fix It: Set Up a Custom Sender Domain

To ensure your password reset codes arrive in your members' primary inboxes instantly, you must send them from your own custom domain (e.g., hello@yourdomain.com).

  1. In your Memberstack Dashboard, go to Emails > Transactional
  2. Click on 'Add Transactional Sender’
  3. Enter your sending email (e.g., hello@mywebsite.com) and "From Name" click Save.
  4. ⚠️ Important: Do not use a noreply@ address (like noreply@yourdomain.com). Memberstack uses Resend to deliver emails, and Resend blocks noreply@ addresses because they severely hurt inbox deliverability rates and increase spam flags. Use active addresses like hello@, support@, or welcome@.
  5. Memberstack will generate the required TXT and MX DNS records.
  6. Log into your domain registrar (GoDaddy, Namecheap, Cloudflare, etc.) and add these TXT and MX records to your DNS settings.Once the records are added, click the Verify button inside the Memberstack modal. 
  7. Once verified, all verification codes, welcome emails, and password resets will come directly from your domain, drastically boosting deliverability.

3. The "Always Success" Security Feature (Email Enumeration Protection)

  • When testing your forgot password form, you might notice that typing a completely fake email like thisisnotreal@gmail.com still displays a success message: "We've sent a verification code to your email if it exists."

Why does this happen?

  • This is a critical industry security standard called Email Enumeration Protection.
  • If Memberstack showed an error like "Email not found," malicious bots and hackers could abuse your form to test thousands of email addresses and see exactly who has an account on your website. By always showing a success message, hackers learn nothing, while real members still get their code.

4. How Admins Can Reset a Member's Password Manually

If a member is locked out or struggling to receive the automated emails, you (the admin) can reset their password manually from the dashboard.

  1. Go to the Members page in your Memberstack Dashboard.
  2. a-2.png
  3. Search for the member and click on their profile.
  4. Click the Actions button in the top right.
  5. Select Reset Password.
  6. You will be prompted with two options:
  • Automatic: Memberstack will automatically generate a secure, random temporary password. Copy this temporary password and send it to your member securely (via Slack, SMS, or direct email). Once they log in with this temporary password, they can update it to a permanent one in their profile settings.
a-4.png
  • Manual: This allows you to type in a new, specific password directly for the member. Once saved, you can share this password with them securely
a-5.png

(Note: There is no button in the admin dashboard to trigger an automated reset code email on behalf of a member; members must trigger those emails themselves via your website's form).

❓ Frequently Asked Questions (FAQ)

Q: The member says they clicked "Resend Code" but still got nothing. Is there a cooldown?
Yes. To prevent spamming and abuse of our email servers, Memberstack enforces a 60-second cooldown between resend requests. If a member clicks "Resend" multiple times in rapid succession, the system will rate-limit the requests and only send one email. Advise them to wait 2 minutes before trying again.

Q: Can I customize the design and text of the password reset email?
Yes! Go to Emails > Transactional  in your Memberstack Dashboard. In the list of templates shown, click on Password Reset. You can customize the subject line and the body copy.

Q: How long is the 6-digit verification code valid?
For security reasons, the 6-digit password reset code expires 15 minutes after it is issued. If the member enters the code after 20 minutes, they will receive an "Expired Code" error and must request a new one.

Was this article helpful?

Didn’t find your answer?

Get an instant answer from Rey, or reach a human. Either way, we’re happy to help.

Comments

No comments yet. Start the conversation below.

Please sign in to leave a comment.

Sitemap