I have a bit of a puzzling question regarding password reset emails, particularly with how they relate to user verification. We recently had a situation involving an account on a third-party accounting website that was tied to a former employee. The new accountant needed access, but the old email associated with the account no longer exists. We use Barracuda for our email filtering, which manages to catch emails directed at our domain even if the specific username is no longer valid. We were able to receive a "what's my username?" email without any issues, but when we tried to request a password reset, the message remained unreadable with a "0 bytes - message may still be downloading" note, and the actual content never showed up.
In the end, we managed to solve the problem by adding the old email address as an alias to the new accountant's email, and the password reset email finally came through. I initially tried creating just a distribution group and adding the accountant to it, but the message still wouldn't download. So my main question is: do password reset emails have some sort of verification process before the full content is sent? It seems like there's some security check, but I couldn't find any definitive answers online.
3 Answers
I think there might be a mix-up here. When resetting passwords, especially for a service that’s not directly linked to 365, it shouldn't matter whether you're using a distribution group or an alias. The third-party site should handle any legitimate email address appropriately without getting caught up on account types, right?
Did you check if the distribution list was set to allow external emails? Barracuda has a history of rejecting initial handshakes on certain messages, so it might be a factor there. I’ve had moments where I forgot to enable that setting, and it caused issues like this.
Same here! I’ve missed that option more times than I’d like to admit. It can be a real headache!
From my experience with Barracuda, it typically requires the email address to actively exist in order for messages to be processed. If the filter recognizes that the account is no longer valid, the email may just get blocked altogether. In my current setup with Office 365, I convert old accounts into shared mailboxes, which keeps the email functional for occasions like this. Previously, I added the email to my own mailbox and created rules to manage incoming mail. This way, I always had a way to access those emails instead of losing them.
Ah got it! Thanks for clarifying! I was just curious if some services took extra steps to verify the email before sending out sensitive info like that.