Reset password, appropriate response if email doesn’t exist?
It is common on login forms to see "Email or password is incorrect" when the user types in their account details incorrectly instead of just "password is incorrect". This is, for among other reasons, because it is a security vulnerability to inform users that the Email is indeed registered to that site. You can read about it in this question.
However, in the case of a "Forgot password" reset page, there is only an input for the user to enter an Email to get a new password sent to them. If this email is not registered to my site and I put an error message saying "Sorry this email is invalid" then a malicious person can come in and try emails until they find one that doesn't give that error, meaning they've found an active account.
Is there any way to avoid divulging this potentially risky information?
I can only think of possibly limiting the number of attempts to put in an email as it shouldn't impede a normal user experience.