@eugene.low I believe that the message stating an email has been sent is expected behavior. Lock is implement to provide this messages regardless of the user being found or not to prevent user enumeration, which can lead to multiple attack vectors. This way, an attacker cannot find out whether a particular user/email has an account in your application by brute force. The password reset emails will be sent to registered users, even though the message says an email has been sent.
When you say non-valid users are you referring to blocked users? I don’t believe a blocked user should be able to start and complete a password reset. If that is the case can you please let me know?