What is IMAP?
Internet Message Access Protocol — the standard for reading email while keeping messages on the server.
143
Standard Port
993
IMAPS (TLS/SSL)
3501
Defining RFC
1988
Year Introduced
IMAP Architecture Flow
📱 Email ClientThunderbird / Outlook
IMAP cmds (143)
▶
🖥 IMAP Servermail.server.com
Responses
▶
☁ Mail StoreMessages stay here
SMTP delivery
▶
✉ MTAMail Transfer Agent
ℹ️
Key Concept: Unlike POP3 which downloads and often deletes messages, IMAP leaves all messages on the server. Your client merely views and manages them remotely, enabling multi-device access to the same mailbox.
🔵 IMAP Advantages
- Messages stored on server — access from any device
- Folder management on the server
- Supports partial message fetch (just headers)
- Flags: Seen, Answered, Flagged, Deleted, Draft
- Server-side search capabilities
- Multiple simultaneous connections
🔴 IMAP Considerations
- Requires persistent internet connection
- Consumes server storage space
- More complex protocol than POP3
- Port 143 (unencrypted) — always use port 993
- Higher server resource usage
- Misconfigured IDLE can drain battery
IMAP Message Flags
IMAP tracks message state using server-side flags. These persist across all devices.
\\Seen
\\Answered
\\Flagged
\\Deleted
\\Draft
\\Recent
IMAP Commands
IMAP uses tagged commands — each command is prefixed with a unique tag (A001, A002…) so responses can be matched to requests.
🏷️
Tagged Commands: Every IMAP command begins with a client-generated tag (e.g.,
A001 LOGIN user@example.com mypassword). The server response includes the same tag to confirm completion.| Command | State Required | Description | Example Response |
|---|---|---|---|
| CAPABILITY | Any | List server capabilities and extensions supported | * CAPABILITY IMAP4rev1 STARTTLS AUTH=PLAIN |
| STARTTLS | Not Auth | Upgrade connection to TLS encryption | A001 OK Begin TLS negotiation |
| LOGIN | Not Auth | Authenticate with username and password | A001 OK LOGIN completed |
| AUTHENTICATE | Not Auth | Authenticate via SASL mechanism (e.g., OAUTH2) | A001 OK AUTHENTICATE completed |
| SELECT | Authenticated | Open a mailbox for read/write access | * 12 EXISTS * 2 RECENT |
| EXAMINE | Authenticated | Open a mailbox for read-only access | A002 OK [READ-ONLY] EXAMINE completed |
| LIST | Authenticated | List available mailboxes / folders | * LIST (\HasNoChildren) "." INBOX |
| LSUB | Authenticated | List subscribed mailboxes | * LSUB () "." "INBOX.Sent" |
| CREATE | Authenticated | Create a new mailbox/folder on the server | A003 OK CREATE completed |
| DELETE | Authenticated | Delete an existing mailbox | A004 OK DELETE completed |
| RENAME | Authenticated | Rename a mailbox | A005 OK RENAME completed |
| STATUS | Authenticated | Query mailbox status (messages, unseen count) | * STATUS INBOX (MESSAGES 12 UNSEEN 3) |
| FETCH | Selected | Retrieve message data (headers, body, flags) | * 1 FETCH (FLAGS (\Seen) BODY[TEXT] {42}) |
| SEARCH | Selected | Search messages matching criteria on the server | * SEARCH 2 5 9 |
| STORE | Selected | Modify message flags (e.g., mark as read) | * 1 FETCH (FLAGS (\Seen \Flagged)) |
| COPY | Selected | Copy messages to another mailbox | A006 OK COPY completed |
| MOVE | Selected | Move messages to another mailbox (RFC 6851) | A007 OK MOVE completed |
| EXPUNGE | Selected | Permanently remove messages marked \\Deleted | * 3 EXPUNGE A008 OK EXPUNGE completed |
| IDLE | Selected | Server push — get notified of new mail without polling | + idling (until "DONE" sent) |
| NOOP | Any | No operation — keep connection alive, get updates | A009 OK NOOP completed |
| CLOSE | Selected | Close mailbox, silently expunge \\Deleted messages | A010 OK CLOSE completed |
| LOGOUT | Any | End IMAP session and disconnect from server | * BYE IMAP4rev1 Server logging out A011 OK LOGOUT completed |
⚠️
Security Note: Never use plain LOGIN over port 143 in production — always enforce STARTTLS or use IMAPS on port 993. Plain-text credentials are trivially captured by network sniffers.
Protocol Simulator
Step through an IMAP session interactively. Blue = server responses. Red = client commands.
# Select a scenario above to begin IMAP simulation
# Blue = server Red = client commands
# Blue = server Red = client commands
Connection States
IMAP defines four distinct connection states. Commands are only valid in certain states. Click each state to learn more.
Not Authenticated
Initial state after TCP connection. Client must authenticate before accessing mail.
Valid commands: CAPABILITY, NOOP, AUTHENTICATE, LOGIN, STARTTLS, LOGOUT
Entry point: Server sends greeting:
Exit: Successful LOGIN or AUTHENTICATE → Authenticated state
Entry point: Server sends greeting:
* OK IMAP4rev1 Service ReadyExit: Successful LOGIN or AUTHENTICATE → Authenticated state
Authenticated
User is logged in. Can manage mailboxes but has not opened one yet.
Valid commands: All Not-Auth commands plus SELECT, EXAMINE, CREATE, DELETE, RENAME, LIST, LSUB, STATUS, SUBSCRIBE, UNSUBSCRIBE, APPEND
Exit: SELECT or EXAMINE → Selected state | LOGOUT → Logout state
Exit: SELECT or EXAMINE → Selected state | LOGOUT → Logout state
Selected
A mailbox is open. Full access to messages — read, write, search, fetch.
Valid commands: All Authenticated commands plus CHECK, CLOSE, EXPUNGE, SEARCH, FETCH, STORE, COPY, MOVE, IDLE, UID commands
Server sends unilateral responses: EXISTS, RECENT, EXPUNGE, FETCH
Exit: SELECT/EXAMINE → new Selected | CLOSE → Authenticated | LOGOUT → Logout
Server sends unilateral responses: EXISTS, RECENT, EXPUNGE, FETCH
Exit: SELECT/EXAMINE → new Selected | CLOSE → Authenticated | LOGOUT → Logout
Logout
Session is terminating. Server sends BYE and closes TCP connection.
Trigger: LOGOUT command, server-side timeout, or network error
Server response:
Client must: Close the TCP connection after receiving BYE
Server response:
* BYE IMAP4rev1 Server logging out
A011 OK LOGOUT completedClient must: Close the TCP connection after receiving BYE
State Transition Diagram
[TCP Connect]
↓ Server greeting: * OK IMAP4rev1 Ready
NOT AUTHENTICATED ──(LOGIN / AUTHENTICATE)──→ AUTHENTICATED
↓ SELECT / EXAMINE
SELECTED ←→ FETCH/STORE/SEARCH
↓ LOGOUT (from any state)
LOGOUT → TCP Close
↓ Server greeting: * OK IMAP4rev1 Ready
NOT AUTHENTICATED ──(LOGIN / AUTHENTICATE)──→ AUTHENTICATED
↓ SELECT / EXAMINE
SELECTED ←→ FETCH/STORE/SEARCH
↓ LOGOUT (from any state)
LOGOUT → TCP Close
Mailbox Explorer
Simulate IMAP's server-side folder management. Messages stay on the server — this is the key difference from POP3.
💡 Messages remain on the server. IMAP just shows you a view — your phone and laptop see the same mailbox.
What IMAP does behind the scenes
* OK IMAP4rev1 Service Ready
A001 LOGIN user@mvcc.edu ••••••••
A001 OK LOGIN completed
A002 SELECT INBOX
* 12 EXISTS * 3 RECENT * OK [UNSEEN 10]
A002 OK [READ-WRITE] SELECT completed
A001 LOGIN user@mvcc.edu ••••••••
A001 OK LOGIN completed
A002 SELECT INBOX
* 12 EXISTS * 3 RECENT * OK [UNSEEN 10]
A002 OK [READ-WRITE] SELECT completed
IMAP vs POP3
Understanding when to use each protocol is fundamental to email system design.
| Feature | IMAP (Port 143/993) | POP3 (Port 110/995) |
|---|---|---|
| Storage Location | Server-side — always | Downloaded to client (usually deleted from server) |
| Multi-device Access | ✔ All devices see same mailbox | ✘ Downloaded messages only on one device |
| Folder Management | Server-side folders synced across devices | Local folders only (client-side) |
| Offline Access | Requires sync / cache setup | Full offline access after download |
| Server Storage Required | High — all messages stored indefinitely | Low — messages deleted after download |
| Protocol Complexity | Complex — 22+ commands, 4 states, tags | Simple — ~12 commands, 2 states |
| Bandwidth Usage | Fetch only what you need (headers first) | Downloads entire messages always |
| Message Flags / State | Rich flags: Seen, Flagged, Answered, Draft | No flag support |
| Server-Side Search | ✔ SEARCH command on server | ✘ Client must download all to search |
| Push Notifications | ✔ IDLE command for instant new mail | ✘ Must poll (check periodically) |
| Partial Message Fetch | ✔ Fetch headers, body sections separately | ✘ Must download complete message |
| RFC Standard | RFC 3501 (IMAP4rev1), RFC 9051 (IMAP4rev2) | RFC 1939 |
| Best Use Case | Most modern email — multiple devices | Single-device, limited server storage |
💡
Rule of thumb: IMAP is almost always the right choice for modern email deployments. POP3 may still be appropriate in bandwidth-constrained environments or where server storage is severely limited.
Knowledge Check
Test your understanding of the IMAP protocol. Click an answer to receive immediate feedback.
0/10
Complete all questions to see your score.