POP3 protocol: what it is, how it works, and when to use it

POP3 (Post Office Protocol version 3) is a protocol for downloading email from a remote server to a local device. Defined in RFC 1939 (1996). The logic is straightforward: the client connects, downloads messages, disconnects. By default, messages are deleted from the server after download and stored only on the device.

Three session phases

Every POP3 connection goes through three sequential stages:

1. Authorization. The client sends a username and password. The server verifies the credentials and places a maildrop lock on the mailbox, preventing a second concurrent connection from corrupting data.
2. Transaction. The client requests the message list, checks sizes, downloads content, and marks messages for deletion. All changes accumulate but are not applied to the mailbox until the session ends.
3. Update. The client sends QUIT. The server permanently deletes the marked messages, releases the mailbox lock, and closes the connection.

If the connection drops before QUIT, messages marked for deletion stay on the server. That behavior is intentional — it prevents data loss when the network fails mid-session.

Protocol commands

• USER / PASS — send username and password.
• APOP — MD5-hashed password authentication. Protects against credential interception, but MD5 is considered weak today. In practice, full TLS on the connection replaces it.
• STAT — returns message count and total mailbox size in octets.
• LIST — lists messages with their sequence numbers and sizes.
• RETR — downloads the full content of a message by its number.
• DELE — marks a message for deletion at session close.
• TOP — downloads headers and the first N body lines. Useful for previewing a message without fetching the whole thing.
• UIDL — returns unique identifiers for messages, letting the client track which ones it has already downloaded across sessions.
• RSET — clears all deletion marks in the current session.
• QUIT — ends the session and commits deletions.

Ports and encryption

• Port 110 — the standard POP3 port, unencrypted. Supports the STLS extension to upgrade to TLS after the initial connection (analogous to STARTTLS in SMTP).
• Port 995 — POP3S (POP3 over implicit TLS). Encryption starts from the first byte. This is the correct port for any production setup.

Unencrypted POP3 on port 110 transmits the username and password in plain text. On a public network, those credentials can be captured in seconds. Port 110 without STLS has no place in modern mail configuration.

Leave-on-server mode

Most mail clients — Thunderbird, Outlook, Apple Mail — let you configure POP3 to keep a copy on the server. In this mode the client never sends DELE, so messages stay available for download on another device.

That solves the single-device problem partially, but it does not give you sync. Read a message on your laptop, and it still shows as unread on your phone. Flags, folders, labels — POP3 does not synchronize any of that.

When POP3 is still useful

• Local archiving. A script or client pulls all incoming mail to a local server, building an offline archive. Legal and financial organizations often use this to meet mandatory retention periods.
• Tight server storage. If a provider limits a mailbox to 100 MB, POP3 with deletion keeps the quota clear.
• Single-device access. If mail is only ever read on one desktop, IMAP sync adds complexity without benefit.
• Automated processing. Monitoring systems and mail-processing pipelines sometimes use POP3 for its simplicity: connect, fetch, disconnect, done.

Protocol limitations

POP3 only handles the inbox. It has no concept of Sent, Drafts, or Trash folders. There is no server-side search. New-mail notifications require the client to poll on a timer. And RETR downloads the entire message — there is no way to fetch individual MIME parts selectively.

For anyone using two or three devices, those gaps add up fast. That is why POP3 lost ground to IMAP for personal use. On the server side it still appears in specific spots where simplicity matters more than sync.

POP3 and mail infrastructure

On the server side, POP3 is handled by an MDA (Mail Delivery Agent) — typically Dovecot or Courier. Configuring a POP3 service is simpler than IMAP because there are no server-side folder trees, indexes, or metadata caches to maintain. Server load is also lower: clients connect briefly to collect messages and disconnect, rather than holding long-lived connections open.

When deploying mail infrastructure it is reasonable to support both protocols. A number of legacy devices and embedded systems only speak POP3, and disabling the protocol can cut off their mail access entirely.