Internet message access protocol (IMAP) is a protocol for receiving email that allows users to access their emails from different devices.
After reading this article you will be able to:
Copy article link
The Internet Message Access Protocol (IMAP) is a protocol for receiving email. Protocols standardize technical processes so computers and servers can connect with each other regardless of whether or not they use the same hardware or software.
A key feature of IMAP is that it allows users to access their emails from any device. This is because IMAP acts as an intermediary between email servers and email clients, rather than downloading emails from the server onto the email client.
Compare this aspect of IMAP to the differences between using Microsoft Word and Google Docs. Microsoft Word documents are saved locally to a computer and can be transported via email attachments or USB drives, but they do not update dynamically. If, for example, Sally makes changes to their Word document, those modifications are only saved to Sally's computer (and not to the version Linda might have on her computer).
By comparison, Google Docs can be accessed via the Internet on different devices, and update dynamically when a user makes changes to a file. In this scenario, any change Sally makes to a shared file would be visible to Linda, even if they use different computers to access the same document.
Similarly, using IMAP, users can access their email accounts from different devices without any differences in experience, and do not necessarily need to be on the device where they originally read the email.
Post Office Protocol Version 3 (POP3) is an alternative protocol for receiving emails that downloads emails from the server to a local device. Using POP3, a recipient cannot access their emails again from a different device because they are stored locally and then deleted from the email server.
Here is a summary of some key differences between IMAP and POP3.
|Users can access their emails from any device.||By default, emails can only be accessed from the device they are downloaded on.|
|The server stores emails; IMAP acts as an intermediary between the server and the client.||Once downloaded, emails are deleted from the server, unless otherwise configured.|
|Emails are not accessible offline.||Emails are accessible offline but only on the device they were downloaded on.|
|The bodies of emails are not downloaded until a user clicks on them, but subject lines and sender names populate quickly in the email client.||Emails are downloaded to the device by default, so messages may take longer to load.|
|IMAP requires more server space because emails are not automatically deleted from the server.||POP3 conserves email server storage because emails are automatically deleted from the server.|
Here is a quick look at the process of sending and receiving emails with IMAP*:
Sending emails: The Simple Mail Transfer Protocol (SMTP) defines how emails are sent.
Retrieving emails: IMAP defines how emails are received.
*Note that for the purposes of this example, IMAP is used to describe retrieving emails. However, this process looks slightly different when POP3 is implemented.
With IMAP, emails are stored on the server by default, which could present issues if the server is compromised. However, unlike with POP3, IMAP users do not have to worry about their emails being destroyed if the device they are downloaded on is lost or damaged.
One of the biggest security issues with IMAP is that it transmits logins from the client to the server in plain text by default, meaning usernames and passwords are not encrypted. (An encrypted login is obscured using complex mathematical equations so an attacker would not be able to understand it just by reading it.) This vulnerability can be protected against by configuring IMAP over the transport layer security (TLS) protocol, which facilitates encrypted communication.
Another vulnerability associated with IMAP is that it is not inherently compatible with multi-factor authentication (MFA). For this reason, IMAP can be exploited to bypass MFA requirements and make it easier for attackers to successfully conduct password-spraying attacks. (In password spraying, the attacker attempts different combinations of commonly used passwords and potential usernames.) Using third-party email clients that do not support authentication requirements or maintaining shared email accounts that cannot enforce MFA make organizations particularly vulnerable.
Cloudflare Area 1 Email Security is a cloud-based email security solution that proactively identifies phishing and other email-based attacks using machine learning. By integrating with common cloud email providers, it improves upon existing protections against password-spraying and other attacks that IMAP can be vulnerable to.
Email security basics
Phishing and spam
Learning Center Navigation