Certain types of web filtering software may interfere with password reset links. If an automatic tool accesses the password reset page before it is opened by the actual user's client, the password recovery request will be invalid. So, if the users are using email servers or clients out of your scope, you can either add a note to the reset password email that they have to ask their IT to whitelist the reset password links or, another option would be not to use the reset password link.