diff --git a/lib/resources/users.js b/lib/resources/users.js
index 468ff3990..2d853f101 100644
--- a/lib/resources/users.js
+++ b/lib/resources/users.js
@@ -55,7 +55,7 @@ module.exports = (service, endpoint) => {
 
     // TODO/SECURITY: subtle timing attack here.
     service.post('/users/reset/initiate', endpoint(({ Users, mail }, { auth, body, query }) =>
-      Users.getByEmail(body.email)
+      (!body.email ? Problem.user.missingParameter({ field: 'email' }) : Users.getByEmail(body.email)
         .then((maybeUser) => maybeUser
           .map((user) => ((isTrue(query.invalidate))
             ? auth.canOrReject('user.password.invalidate', user.actor)
@@ -70,7 +70,7 @@ module.exports = (service, endpoint) => {
               .then((existed) => ((existed === true)
                 ? mail(body.email, 'accountResetDeleted')
                 : resolve()))))
-          .then(success))));
+          .then(success)))));
 
     // TODO: some standard URL structure for RPC-style methods.
     service.post('/users/reset/verify', endpoint(({ Actors, Sessions, Users }, { body, auth }) =>
diff --git a/test/integration/api/users.js b/test/integration/api/users.js
index 08857f538..5fb4d5c99 100644
--- a/test/integration/api/users.js
+++ b/test/integration/api/users.js
@@ -402,6 +402,16 @@ describe('api: /users', () => {
             asAlice.post('/v1/users/reset/verify')
               .send({ new: 'coolpassword' })
               .expect(403))));
+
+        it('should fail the request if email field is sent blank in request body', testService((service) =>
+          service.login('alice', (asAlice) =>
+            asAlice.post('/v1/users/reset/initiate')
+              .send({ email: '' })
+              .expect(400)
+              .then(({ body: { code, details } }) => {
+                details.should.eql({ field: 'email' });
+                code.should.eql(400.2);
+              }))));
       });
     }
   });