The password reset function sends out a verification email to the user requesting it to make sure he/she is really the person requesting the reset.

This email message is sent by the server -- i.e., it's being sent by a "robot." 

The user's incoming mail server usually recognizes this and its spam detection mechanisms start analyzing the message.  This is the first level of spam detection where a false positive may occur (false positive meaning that the message is incorrectly identified as a spam). 

Once it is cleared, the message is delivered to the user's mailbox.  This is the second level of spam detection where the message can get falsely identified as spam and thus put in the junk-mail box (or depending on the mail client - may be deleted altogether).  This s especially true within corporate email systems where many content types may get immediately blocked by the corporate communication policy.

On top of all of this, if the user is using an email alias (say, the password reset code was sent to joealum@alum.mit.edu which in turn forwards it to joealum@aol.com), the forwarding hop may also include spam detection.

All in all, we see legitimate server messages being blocked for less than 1% of the users on an established domain, and this number is under 3% on a new domain on our system.  In some cases, the user can follow these steps to correct this issue.  In others, there is nothing the user can do, and the user will have to use a different email address or request help from your site's admin to change their password; these instances are rare.