* security, an attacker has more time to intercept and use the links and codes.
* UX, making the user wait 15+ minutes to do certain actions is quite terrible.
I've had a couple support requests about this. The common theme seems to be the customer is using Mimecast, and the fix is to add my sender address in a whitelist somewhere in their Mimecast configuration.
