IMAP Protocol: what it is, how it works, and why it matters

IMAP (Internet Message Access Protocol) is a protocol for reading email where messages stay on the server. The client requests content on demand: it fetches headers, downloads a specific message body, moves messages between folders. Every action syncs immediately to any device connected to the same mailbox.

The protocol dates to 1986. IMAP4rev1, defined in RFC 3501 (2003), became the version that actually shipped in real clients. RFC 9051 followed in 2021, defining IMAP4rev2, which cleaned up ambiguities in the older spec and folded in several widely-used extensions.

How it works

POP3 downloads messages to the local device. IMAP works differently: the server stays the single source of truth. An email client (Thunderbird, Apple Mail, a mobile app) connects to the server, requests the message list for the selected folder, and renders headers. The message body loads only when the user opens it. Attachments download separately, on demand.

That approach saves bandwidth. On a slow mobile connection, a client can display a list of 200 messages in under a second because only headers were fetched, not full messages with attachments.

Server folders and flags

IMAP supports a folder hierarchy on the server: Inbox, Sent, Drafts, Trash, Junk, and any custom folders the user creates. Creating, renaming, and deleting folders all happen on the server via protocol commands. The client just renders the result.

Each message carries a set of flags: \Seen (read), \Answered (replied to), \Flagged (starred), \Deleted (marked for removal), \Draft (unsent). Read a message on your laptop and the server sets \Seen. Open the mailbox on your phone and the message is already marked read. That is state synchronization in practice.

Ports and encryption

• Port 143 — the standard IMAP port. The connection starts unencrypted; the client can upgrade to a secure channel with the STARTTLS command, after which all further traffic is encrypted.
• Port 993 — IMAPS (IMAP over implicit TLS). Encryption is established from the first byte of the connection. RFC 8314 recommends this option.

Gmail, Outlook.com, Yahoo Mail, and most other providers support both ports, but client setup defaults to port 993 with TLS. Port 143 without STARTTLS is rare in modern deployments: passing credentials in plaintext is a straightforward path to account compromise.

Key protocol commands

IMAP is a text-based protocol where each command is prefixed with a tag (an arbitrary identifier, e.g. a001). The server echoes the same tag in its response, so the client can pipeline multiple commands without waiting for each reply.

• LOGIN — authenticates with username and password. Secure configurations replace this with AUTHENTICATE using a SASL mechanism.
• SELECT — opens a folder. The server returns the message count, unread count, and the UIDVALIDITY value.
• FETCH — retrieves message data: headers, body, flags, MIME part structure. You can request only specific fields.
• SEARCH — server-side search by criteria: date, sender, subject, size, flags, body text.
• STORE — sets or clears flags on messages.
• IDLE — puts the connection in a wait state for push notifications. The server alerts the client about new messages in real time, without polling on a timer.
• COPY / MOVE — copies or moves messages between folders. MOVE was introduced as an extension (RFC 6851) and is included in IMAP4rev2.

Extensions

The base protocol is extended through IANA-registered capabilities. A few worth knowing:

• CONDSTORE / QRESYNC (RFC 7162) — fast resync: the client sends the server its last known change token and receives only the delta. Critical for mobile clients with intermittent connectivity.
• COMPRESS (RFC 4978) — DEFLATE compression at the connection level. Reduces transferred data by 50-70%.
• NOTIFY (RFC 5465) — change notifications across multiple folders at once, without having to open each folder individually.
• SPECIAL-USE (RFC 6154) — standard attributes for system folders (\Sent, \Trash, \Junk). Without this extension, clients have to guess which folder holds sent or deleted mail.

IMAP vs POP3: when to use which

IMAP makes sense when the mailbox is accessed from multiple devices, when server-side search matters, or when the client runs on a slow connection. POP3 still fits narrow scenarios: archiving mail to a local server, single-device setups, or situations where minimizing server storage is the priority.

In practice, IMAP is the default for nearly every configuration in 2026. Gmail, Outlook.com, and other webmail providers use their own internal protocols internally, but expose IMAP when an external client connects.

IMAP in email marketing context

Marketers do not interact with IMAP directly: campaigns go out through SMTP. But IMAP shows up in adjacent processes. Email warmup services connect to seed mailboxes via IMAP to pull messages out of the spam folder and move them to the inbox, simulating real user behavior. Inbox placement monitoring tools use seed accounts and check via IMAP which folder the test message landed in.

When deploying your own mail infrastructure (Postfix + Dovecot), a correctly configured IMAP server with TLS and current extensions is a required step. Without it, external clients and integrations cannot access the mailbox reliably.