Double click email password server behavior. On the last step, you can configured ho the email is sent. by default it will send the password from the recordset. remove the password reference and click the Plus button to select the NewPW session variable which contains the unencrypted password.
Is the new password being store in the database correctly?
If so, ignore the red exclamation mark. That only means there *may* be a problem, if it is working correctly though, you can ignore it.