IMAP: Internet Message Access Protocol

The standard protocol for accessing and managing email on a remote server. IMAP keeps messages on the server and synchronizes state across every device you use, from your phone to your laptop to webmail.

Type

Application Layer

Ports

143 (plain) / 993 (TLS)

Transport

TCP

Standard

RFC 9051 (IMAP4rev2)

What is IMAP?

IMAP (Internet Message Access Protocol) is the standard protocol for accessing email stored on a remote mail server. Unlike protocols that download messages to a single device, IMAP keeps all email on the server and synchronizes the state of every message (read, unread, flagged, deleted) across all connected clients. When you read an email on your phone, it appears as read on your laptop and in webmail too.

IMAP was created by Mark Crispin at Stanford University in 1986. The protocol has evolved through several revisions, with IMAP4rev1 (RFC 3501, 2003) serving as the dominant version for nearly two decades. The current version, IMAP4rev2, was published as RFC 9051 in August 2021 and incorporates many popular extensions directly into the core specification.

Today, IMAP is used by virtually every modern email client: Gmail, Outlook, Apple Mail, Thunderbird, and mobile email apps all rely on IMAP (or its principles) to deliver a consistent, synchronized inbox experience. It works hand in hand with SMTP, which handles sending email. SMTP pushes messages to the destination server, and IMAP lets recipients access and manage those messages once they arrive.

How IMAP Works

An IMAP session follows a structured flow of commands and responses between the client and the mail server. Here is how a typical session unfolds:

  1. Connect: The client opens a TCP connection to the server on port 993 (IMAPS, with implicit TLS) or port 143 (with STARTTLS upgrade).
  2. Authenticate: The client sends a LOGIN command with a username and password, or uses SASL mechanisms like OAuth2 for token-based authentication.
  3. Select a mailbox: The client issues a SELECT command to open a mailbox (for example, INBOX). The server responds with metadata: the total number of messages, the count of recent messages, flags, and the next available UID.
  4. Fetch messages: The client requests message headers, envelopes, or full bodies using the FETCH command. IMAP is efficient here because clients can fetch only what they need. For example, a mobile client might fetch just headers and download the full body only when the user taps on a message.
  5. Manage messages: The client can mark messages as read, flag them, move them between folders, or mark them for deletion using STORE, COPY, and MOVE commands. These changes are written to the server immediately and reflected on all connected devices.
  6. Logout: The client sends LOGOUT to end the session gracefully.
Email ClientIMAP ServerTCP Connect port 993* OK IMAP4rev1 server readyA001 LOGIN alice passwordA001 OK LOGIN completedA002 SELECT INBOX* 47 EXISTS, * 2 RECENTA003 FETCH 47 (BODY[])* 47 FETCH (BODY[] {2048}...)A004 STORE 47 +FLAGS (\Seen)A004 OK STORE completedA005 LOGOUT
An IMAP session: the client authenticates, selects a mailbox, fetches a message, marks it as read, and logs out. Messages stay on the server.

Every IMAP command is prefixed with a unique tag (like A001, A002) so the client can match responses to the commands that generated them. This tagging system allows the protocol to handle multiple concurrent operations, making IMAP more capable than simpler protocols like POP3.

IMAP vs POP3

IMAP and POP3 both retrieve email from a server, but they take fundamentally different approaches. IMAP keeps messages on the server and synchronizes state across all devices. POP3 downloads messages to a single device and, by default, deletes them from the server. This core difference shapes every aspect of how the two protocols behave.

vsIMAPMail ServerInboxSentDraftsTrashLaptopPhoneTabletMessages stay on serverAll devices see the same mailboxPOP3Mail ServerInboxLaptopDownloadMessages removedMessages downloaded to deviceOther devices see empty inbox
IMAP keeps messages on the server and syncs across all devices. POP3 downloads messages to one device and typically removes them from the server.
FeatureIMAPPOP3
MessagesStay on serverDownloaded to device
Multi-deviceFull sync across all devicesSingle device (typically)
FoldersServer-side folders (Inbox, Sent, Drafts, etc.)Inbox only
Offline accessHeaders cached, bodies fetched on demandFull messages available offline
Server storageRequires more server spaceFrees server space
BandwidthEfficient (fetch only what you need)Downloads everything
Port (TLS)993995
Best forMultiple devices, web + mobileSingle device, limited server storage

For most users today, IMAP is the right choice. The ability to access email from any device with full synchronization matches how people actually use email. POP3 still has a place for users who want to archive all email locally on one machine, or for environments where server storage is severely limited.

IMAP Commands Reference

IMAP defines a rich set of commands for authentication, mailbox management, and message manipulation. Each command is prefixed with a client-generated tag for response matching. Here are the most important commands:

CommandPurposeExample
LOGINAuthenticate with username and passwordA001 LOGIN user password
SELECTOpen a mailbox for read/write accessA002 SELECT INBOX
EXAMINEOpen a mailbox in read-only modeA003 EXAMINE Sent
FETCHRetrieve message data (headers, body, flags)A004 FETCH 1:5 (FLAGS ENVELOPE)
STOREModify message flagsA005 STORE 3 +FLAGS (\Seen)
SEARCHFind messages matching criteriaA006 SEARCH UNSEEN FROM "alice"
COPYCopy messages to another mailboxA007 COPY 1:3 Trash
MOVEMove messages to another mailbox (extension)A008 MOVE 5 Archive
CREATECreate a new mailbox or folderA009 CREATE Projects
DELETEDelete a mailbox or folderA010 DELETE OldFolder
LISTList available mailboxesA011 LIST "" "*"
IDLEWait for real-time server notificationsA012 IDLE
LOGOUTEnd the sessionA013 LOGOUT

The FETCH command is particularly flexible. Clients can request specific parts of a message, such as just the headers, the envelope metadata, a single MIME part, or the complete body. This granularity is what makes IMAP efficient over slow or metered connections.

IMAP Flags

IMAP uses flags to track the state of each message. These flags are stored on the server and synchronized to all connected clients. The protocol defines six system flags:

FlagMeaning
\SeenMessage has been read
\AnsweredMessage has been replied to
\FlaggedMessage is flagged or starred
\DeletedMessage is marked for deletion
\DraftMessage is a draft
\RecentMessage is new since the last session

Flags are modified using the STORE command. For example, A005 STORE 3 +FLAGS (\Seen) marks message 3 as read, while A005 STORE 3 -FLAGS (\Flagged) removes the starred flag from that message.

Deleting messages in IMAP is a two-step process. First, the client sets the \Deleted flag on the messages to be removed. Then, the client issues the EXPUNGE command, which permanently removes all messages marked with \Deleted from the mailbox. This two-step approach prevents accidental data loss and gives clients a chance to undo deletions before they become permanent.

In addition to system flags, IMAP servers can support custom (keyword) flags. Email clients use these for features like labels, categories, and other user-defined classifications.

IMAP IDLE: Push Notifications for Email

One of IMAP's most important extensions is IDLE, defined in RFC 2177. Without IDLE, an email client must poll the server at regular intervals to check for new messages. This is inefficient: frequent polling wastes bandwidth and battery, while infrequent polling means delays in receiving new mail.

IMAP IDLE solves this problem by allowing the server to push notifications to the client in real time. Here is how it works:

  1. The client sends the IDLE command to the server.
  2. The server acknowledges with a continuation response and the connection stays open.
  3. When a new message arrives, the server immediately sends an untagged EXISTS response to the client, indicating the new message count.
  4. The client sends DONE to exit IDLE mode and then fetches the new messages.

This is the mechanism behind instant email notifications on mobile devices and desktop clients. When your phone buzzes seconds after someone sends you an email, IMAP IDLE is likely responsible. Most modern IMAP servers, including Gmail, Outlook, and Fastmail, support the IDLE extension.

IMAP Security

Securing IMAP connections is critical because email often contains sensitive personal and business information. Modern IMAP deployments use several layers of protection:

IMAPS (Port 993, Implicit TLS)

The standard approach for securing IMAP is IMAPS, which wraps the entire IMAP session in a TLS connection from the very first byte. The client connects to port 993 and performs a TLS handshake before any IMAP commands are exchanged. This is the recommended configuration for all modern deployments.

STARTTLS (Port 143)

An alternative approach uses STARTTLS on port 143. The client connects in plain text, then issues the STARTTLS command to upgrade the connection to TLS before authenticating. While this works, it is less secure than implicit TLS because the initial connection is unencrypted and vulnerable to downgrade attacks.

OAuth2 and Application Passwords

Major email providers like Gmail and Outlook have moved away from plain password authentication for IMAP. Instead, they require OAuth2 tokens, which provide scoped, time-limited access without exposing the user's primary password. For email clients that do not support OAuth2, these providers offer application-specific passwords: unique, randomly generated passwords that grant access only to email and can be revoked independently.

Common Use Cases for IMAP

IMAP is the protocol behind nearly every modern email experience. Here are the most common scenarios where IMAP is used:

  • Multi-device email: The most common use case. Users access the same mailbox from their phone, laptop, tablet, and webmail interface. IMAP ensures that read status, folders, and flags stay in sync across all devices.
  • Webmail: Services like Gmail, Outlook.com, and Yahoo Mail use IMAP (or IMAP-like protocols) internally to serve email through their web interfaces. When you use Gmail in a browser, the underlying access pattern mirrors IMAP behavior.
  • Shared and team mailboxes: Businesses often set up shared mailboxes (such as support@company.com) where multiple team members access the same inbox via IMAP. Flags and folder organization are visible to everyone on the team.
  • Enterprise email: Organizations running their own mail servers (Dovecot, Cyrus, Microsoft Exchange) expose IMAP access for employees using desktop and mobile clients.
  • Mobile email apps: iOS Mail, Gmail for Android, Outlook Mobile, and other mobile clients connect to mail servers via IMAP. The IDLE extension provides real-time push notifications without constant polling.
  • Desktop email clients: Thunderbird, Apple Mail, and Microsoft Outlook all support IMAP as their primary protocol for connecting to mail servers. Users configure IMAP settings (server, port, encryption) when adding an email account.

Frequently Asked Questions

Should I use IMAP or POP3?

For most people, IMAP is the better choice. If you access email from more than one device (phone, laptop, webmail), IMAP keeps everything in sync automatically. POP3 is only preferable if you want to download all mail to a single computer and free up server storage, or if you need full offline access to every message without an internet connection.

Does IMAP use more storage on the server?

Yes. Because IMAP keeps all messages on the server, your mailbox consumes server-side storage. This is the tradeoff for multi-device synchronization. Most email providers offer generous storage (15 GB or more for free accounts), so this is rarely a problem in practice. If storage is a concern, you can periodically archive or delete old messages.

What is IMAP IDLE?

IMAP IDLE is an extension (RFC 2177) that enables real-time push notifications. Instead of the client polling the server repeatedly to check for new mail, the client enters IDLE mode and the server notifies it instantly when a new message arrives. This saves bandwidth, reduces latency, and extends battery life on mobile devices.

Can I access IMAP offline?

IMAP itself requires a connection to the server, but most email clients cache messages locally for offline reading. When you open your email app on an airplane, you can read previously synced messages. Any actions you take offline (reading, deleting, moving) are queued and synchronized when the connection is restored.

What port does IMAP use?

IMAP uses two standard ports. Port 993 is for IMAPS (IMAP over implicit TLS) and is the recommended configuration. Port 143 is used for plain IMAP connections, typically upgraded to TLS via the STARTTLS command before authentication. Always use TLS encryption, whether implicit on port 993 or via STARTTLS on port 143.

What is the difference between IMAP and Exchange/ActiveSync?

IMAP is an open standard focused on email access and folder management. Microsoft Exchange ActiveSync is a proprietary protocol that synchronizes email, calendars, contacts, and tasks in a single connection. Exchange offers richer functionality (calendar sync, GAL lookups, remote wipe), but it is limited to Microsoft's ecosystem. Many organizations use Exchange for their internal infrastructure while also exposing IMAP access for third-party clients that do not support ActiveSync.

Related Protocols

  • POP3: The simpler alternative for email retrieval that downloads messages to a single device
  • SMTP: The protocol for sending email, working alongside IMAP to complete the email ecosystem
  • TCP: The transport layer protocol that IMAP runs on for reliable, ordered delivery
  • TLS: The encryption protocol that secures IMAP connections on port 993 (IMAPS)