First, you can simply go directly to the Apple site to do all that. no need to click any links in an eMail. Which is a good rule to follow, anyway.
Second, unless you specifically enabled the images for this one message, you must have "Show html" enabled in your browser. If so, any images sent (like the Apple logo) were sent when you opened the message. That actually sent a message back to the server that the contained/stored the image(s) and recorded your request. That info now includes your address and that you will open messages with images included. While not usually a threat to Macs, that is a known vector for malware for Window computers. Why have a 'door' open?
Third, you can always see what a link 'points' to by hovering your cursor over it. If the first part of that one doesn't say "
https://apple.iforgot.com.cgi-bin/resetPassword.cgi?..." it's fake. That "apple.com" part absolutely must be just after the "://" part. Anything else could just be the SCAMers server, even if it actually had "apple.com" in it somewhere else, it's still not going to Apple.
Finally, I think it probably is a valid email, here's a screen shot of one I got a few, months ago. But it's super simple to make a message look exactly like that (or yours). The trick is to hide the actual server that the links sends you to. Apple doesn't do us any favors by hiding it in the text.
[attachment=2937:Reset_Apple_ID.jpg]
Safest "reply" is always to go to the senders site, hopefully one that you have bookmarked because you know it is valid.
