POP3: Post Office Protocol Version 3

What is POP3?

POP3 (Post Office Protocol version 3) is a standard internet protocol for retrieving email from a remote server to a local client. It is designed for a simple workflow: connect to the server, download messages, optionally delete them, and disconnect. This "download-and-delete" model makes POP3 ideal for users who access email from a single device and prefer to store messages locally.

The Post Office Protocol was first introduced in 1984 as POP1 (RFC 918), followed by POP2 (RFC 937) in 1985. POP3, the version still in use today, was standardized in RFC 1939 in 1996. Despite being over two decades old, POP3 remains widely supported by email providers and clients because of its simplicity and low resource requirements.

Unlike IMAP, which synchronizes messages across multiple devices and maintains server-side state, POP3 treats the server as a temporary holding area. Once messages are downloaded, the server's copy can be removed, freeing up storage. This makes POP3 simpler to implement but less suitable for users who need to read email from multiple devices. POP3 works alongside SMTP, which handles the sending side of email. SMTP delivers messages to the server, and POP3 picks them up for the end user.

How POP3 Works

A POP3 session follows a strict progression through three states: Authorization, Transaction, and Update. The client connects to the server on port 995 (POP3S with implicit TLS) or port 110 (plain text, optionally upgraded with STARTTLS), and then moves through each state in sequence.

1. Connect: The client establishes a TCP connection to the POP3 server. If using port 995, the TLS handshake occurs immediately. On port 110, the client may issue STLS (STARTTLS) to upgrade the connection before authenticating.
2. Authorization State: The server sends a greeting (e.g., +OK POP3 server ready). The client provides credentials using USER/PASS or APOP. On success, the session enters the Transaction state.
3. Transaction State: The client interacts with the mailbox. It can list messages (LIST), retrieve them (RETR), mark them for deletion (DELE), check mailbox statistics (STAT), and more. No changes are permanent yet.
4. Update State: When the client sends QUIT, the server enters the Update state. It permanently removes all messages marked for deletion during the Transaction state, then closes the connection.

This three-state model is one of POP3's defining features. The separation of the Transaction and Update states means that if the connection drops unexpectedly (before QUIT is sent), no messages are permanently deleted. Deletions only take effect when the session ends cleanly.

Where POP3 Fits in Email Delivery

Email delivery involves multiple protocols working together. SMTP handles the "push" side, transferring messages between mail servers until they reach the recipient's server. POP3 handles the "last mile," pulling messages from the server down to the user's device.

1. Sender composes: The sender writes an email in their mail client (Mail User Agent).
2. SMTP submission: The client sends the message to the outgoing mail server via SMTP on port 587.
3. SMTP relay:The sender's mail server looks up the recipient's MX record in DNS and relays the message to the recipient's mail server via SMTP on port 25.
4. Server storage:The recipient's mail server stores the message in the user's mailbox.
5. POP3 retrieval:The recipient's email client connects to the server via POP3 on port 995, downloads the message, and optionally deletes the server copy.

In this chain, POP3 only appears at the very end. It has no role in routing or delivering messages between servers. Its sole purpose is to let the end user download their mail from the final destination server.

POP3 Session States

Every POP3 session passes through three well-defined states. Each state allows a specific set of commands, and the session progresses strictly from one state to the next.

Authorization State

This is the first state after the TCP connection is established. The server sends a greeting line starting with +OK, which may include a timestamp for APOP authentication. The client must identify itself before accessing the mailbox.

• USER/PASS: The most common method. The client sends USER alice followed by PASS secret. The password is sent in plain text, which is why TLS encryption is essential.
• APOP: A challenge-response mechanism. The server includes a unique timestamp in its greeting. The client computes an MD5 hash of the timestamp combined with a shared secret and sends it with APOP alice <md5digest>. This avoids sending the password in plain text, but APOP is rarely used today because TLS provides stronger protection.

If authentication fails, the server responds with -ERR and the session remains in the Authorization state. After successful authentication, the server locks the mailbox (preventing concurrent access) and transitions to the Transaction state.

Transaction State

Once authenticated, the client can interact with the mailbox. Messages are identified by sequential numbers starting at 1. The client can perform any of the following operations:

• STAT: Returns the number of messages and the total size of the mailbox in octets (bytes). Example response: +OK 3 12500 (3 messages totaling 12,500 bytes).
• LIST: Lists all messages with their number and size, or a single message if a number is provided. This lets the client decide which messages to download.
• RETR: Retrieves the full content of a message, including headers and body. The response is a multi-line block terminated by a line containing only a period.
• DELE: Marks a message for deletion. The message is not actually removed until the session enters the Update state. If the connection drops before QUIT, the message remains intact.
• TOP: Fetches the headers of a message plus a specified number of body lines. Useful for previewing messages without downloading the entire content.
• UIDL: Returns a unique identifier for each message. Unlike sequential message numbers (which can change between sessions), UIDs are persistent. Clients use UIDs to track which messages have already been downloaded.
• NOOP: Does nothing but keeps the connection alive. The server responds with +OK.
• RSET: Unmarks all messages that were previously marked for deletion during this session. This effectively cancels all pending deletions.

Update State

The Update state is entered when the client sends the QUIT command. The server performs the following steps in order:

1. Permanently deletes all messages marked with DELE during the Transaction state.
2. Releases the mailbox lock so other sessions can access it.
3. Sends a final +OK response and closes the TCP connection.

If the connection is terminated without a QUIT command (due to a network failure, for example), the server does not delete any messages. This design protects against accidental data loss and is one of POP3's most important safety features.

POP3 Commands

POP3 has a deliberately small command set. Each command is a short keyword, optionally followed by arguments. Here is the complete reference:

All commands are case-insensitive, though uppercase is conventional. Arguments are separated by spaces. The entire command set fits on a single page, which reflects POP3's philosophy of keeping things as simple as possible.

POP3 Response Codes

POP3 uses a straightforward response format. Every server reply begins with one of two status indicators:

• +OK: The command was executed successfully. The rest of the line contains additional information, such as message counts or confirmation text.
• -ERR: The command failed. The rest of the line describes what went wrong (e.g., -ERR no such message or -ERR authentication failed).

Some commands produce multi-line responses. For example, LIST without an argument returns one line per message, and RETR returns the full message content. Multi-line responses are terminated by a line containing only a single period (.). If a line in the message body starts with a period, the server adds an extra period at the beginning (called "dot-stuffing"). The client strips the extra period when reading the response.

This two-code system (+OK and -ERR) is far simpler than SMTP's three-digit numeric codes or IMAP's tagged responses. It makes POP3 easy to implement and debug, even with basic tools like telnet or openssl s_client.

POP3 vs IMAP

POP3 and IMAP both retrieve email from a server, but they follow fundamentally different models. POP3 downloads and removes messages, while IMAP synchronizes and manages them on the server. Here is a detailed comparison:

For most users today, IMAP is the better choice because it supports multiple devices and keeps messages accessible from anywhere. POP3 still has its place in specific scenarios where simplicity, offline access, or minimal server storage are the priority.

When to Use POP3

While IMAP dominates modern email workflows, POP3 remains the right tool for several use cases:

• Single-device email access:If you only check email from one computer or phone, POP3's download model works perfectly. Messages live on your device, and the server stays clean.
• Limited server storage: Free email accounts often come with storage caps. POP3 lets you download messages and free up server space without losing any mail.
• Full offline access: Because POP3 downloads entire messages, you have complete access to your email without an internet connection. IMAP clients cache messages, but the experience can be inconsistent when offline.
• Privacy-conscious users:If you prefer not to leave copies of your email on a third-party server, POP3's download-and-delete model ensures messages exist only on your local device.
• Embedded systems and IoT:Simple devices that need to fetch alerts or notifications from a mailbox benefit from POP3's minimal protocol overhead. A basic POP3 client can be implemented in a few hundred lines of code.
• Archiving: Organizations that want to archive email locally can use POP3 to pull messages from the server and store them in a local archive system, keeping the mailbox clean while preserving every message on local storage.

POP3 Security

In its original form, POP3 sends everything in plain text, including usernames and passwords. Modern deployments address this with several security layers:

POP3S (Port 995)

POP3S wraps the entire POP3 session inside a TLSconnection from the very first byte. The client performs a TLS handshake immediately upon connecting to port 995, and all subsequent POP3 commands and responses are encrypted. This is called "implicit TLS" and is the recommended way to secure POP3 today.

STARTTLS on Port 110

As an alternative to POP3S, clients can connect to port 110 in plain text and then issue the STLS command to upgrade the connection to TLS. This is "opportunistic TLS" and has the same encryption strength as POP3S once the upgrade completes. However, implicit TLS on port 995 is preferred because it avoids the window of vulnerability before the upgrade and cannot be downgraded by a network attacker.

APOP Authentication

APOP uses a challenge-response mechanism based on MD5 hashing to avoid sending the password in plain text. The server includes a unique timestamp in its greeting, and the client hashes this timestamp with the shared secret. While APOP is more secure than plain USER/PASS without TLS, it relies on the weak MD5 algorithm and is rarely used in modern deployments. TLS encryption makes APOP largely unnecessary.

OAuth2

Some email providers (notably Gmail and Microsoft 365) support OAuth2 authentication for POP3, allowing clients to authenticate with tokens instead of passwords. Support varies by provider and client, and configuration can be more involved than traditional password-based authentication.

Frequently Asked Questions

Should I use POP3 or IMAP?

For most people, IMAP is the better choice. It keeps messages on the server and syncs across all your devices, so you see the same inbox on your phone, laptop, and web browser. Choose POP3 if you only use one device, want full offline access, or need to minimize server storage usage.

Does POP3 always delete messages from the server?

No. Deletion is optional. Most email clients offer a "leave messages on server" setting that skips the DELE command. You can also configure clients to delete messages after a certain number of days or only after you manually delete them locally. By default, though, the traditional POP3 workflow is to download and then delete.

Can POP3 work with multiple devices?

Technically yes, but it is not designed for it. If you configure POP3 to leave messages on the server, multiple devices can download them. However, read/unread status, folders, and deletions are not synchronized. Each device operates independently, which often leads to duplicated downloads and inconsistent mailbox states. For multi-device access, IMAP is the right protocol.

Is POP3 secure?

POP3 itself has no built-in encryption, but POP3S (port 995) adds TLS encryption to the entire session. When using POP3S, your credentials and messages are fully protected in transit. Always use port 995 with TLS rather than plain port 110 to ensure security.

What port does POP3 use?

POP3 uses two standard ports. Port 995 is for POP3S, which provides implicit TLS encryption and is the recommended option. Port 110 is the original plain-text port, which can be upgraded to TLS using the STLS (STARTTLS) command. Always prefer port 995 for secure connections.

Is POP3 still widely used?

Yes, though its usage has declined as IMAP and web-based email have become dominant. POP3 is still supported by virtually every email provider and email client. It remains popular among users who prefer local email storage, embedded systems that need simple email retrieval, and organizations with limited server resources. Many ISP email accounts still default to POP3 access.

Related Protocols

• IMAP: The alternative email retrieval protocol that syncs messages across multiple devices
• SMTP: The protocol that handles sending and relaying email between servers
• TCP: The transport layer protocol that POP3 runs on for reliable, ordered delivery
• TLS: The encryption protocol that secures POP3 connections on port 995