you will only need 1 page to accomplish this. as office guy has pointed out, there's no need to make things any more difficult than needed by having the user have to click a gazillion different links just to reset the password.
on the email password page, create the form with the email text box, the secret question select list and the answer text box.
create one recordset to look up the email address. Create an if statement that will redirect to the email password page with a query string variable indicating the email was no good:
<?php
if($totalRows_recordsetName < 1 && $_SERVER["REQUEST_METHOD"] == "POST") {
header("Location: emailPW.php?email=0");
}
?>
then create an if statement to show an error message:
<?php if(isset($_GET['email']) && $_GET['email'] == "0") { ?>
the email address you entered is not valid
<?php } ?>
create another recordset to lookup all 3, the email, question and answer combination that was entered. you can create similar if statements for redirect and showing error message, just change the querystring variable name.
Then use universal email to send the email only if this second recordset is not empty. On the general tab, you can select the triggers, one of the triggers available will be if recordset is not empty.