2026
SMTP, POP3 and IMAP: How Email Actually Works
SMTP sends your messages. POP3 downloads them to a device. IMAP keeps them on the server in sync across everything. Three separate protocols that most email setups use at once and most people never think about until something stops working.
Email protocols feel like a topic you can skip until something breaks. Most people who use email every day have no reason to think about what happens between pressing send and a message appearing in someone else's inbox. A bounce with no useful error message changes that. An inbox that stops updating across devices changes that. Authentication rejecting credentials that worked last week changes that.
Three protocols split the work. SMTP moves messages from one place to another. POP3 retrieves messages by downloading them to the client. IMAP retrieves messages by keeping them on the server in sync across however many clients are looking at the same account. A typical email setup uses all three at once. They are separate protocols with separate ports and separate responsibilities.
How a message actually travels
Press send and the process is more involved than it looks. The mail client hands the message to an outgoing mail server using SMTP on port 587. That server looks up the MX record for the recipient's domain to find which server accepts mail for that address. It then connects to that server on port 25 and delivers the message. The recipient's server stores it until the recipient's client connects to retrieve it.
Message path
Your mail client
↓ SMTP port 587 (authenticated submission)
Your outgoing mail server (MTA)
↓ SMTP port 25 (server-to-server relay)
Recipient's incoming mail server
↓ POP3 port 995 or IMAP port 993 (retrieval)
Recipient's mail client
The recipient's server holds the message whether the client is online at the time of delivery. When the client next connects, it either downloads the message via POP3 or syncs its view of the mailbox via IMAP. Which one depends entirely on how the client is configured.
SMTP: the sending protocol
SMTP is a text-based protocol. The session reads as a conversation between client and server. The server speaks first. The client greets it with EHLO and the server responds with a list of extensions it supports. What happens next depends on those capabilities.
SMTP submission session
220 mail.example.com ESMTP Postfix
EHLO client.example.com
250-mail.example.com Hello client.example.com
250-SIZE 52428800
250-AUTH PLAIN LOGIN
250 STARTTLS
STARTTLS
220 2.0.0 Ready to start TLS
... TLS handshake ...
AUTH PLAIN AHVzZXIAcGFzc3dvcmQ=
235 2.7.0 Authentication successful
MAIL FROM:<bob@example.com>
250 2.1.0 Ok
RCPT TO:<friend@example.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: bob <bob@example.com>
To: Friend <friend@example.com>
Subject: Hello
Message body here.
.
250 2.0.0 Ok: queued as A1B2C3D4
QUIT
221 2.0.0 Bye
Notice that STARTTLS completes before AUTH. The TLS handshake wraps the authentication, so the password never travels as plaintext. A server that advertises STARTTLS in its EHLO response but does not require it is still vulnerable to clients that skip the upgrade. A properly hardened server enforces the upgrade before accepting credentials.
Envelope vs message headers
The address in MAIL FROM is the envelope sender. It is used for bounce routing and spam filtering. The From header inside the message body is what the recipient sees in their client. They can be different addresses. Phishing emails frequently exploit this distinction.
SMTP commands
The command set is small. Each step in the session maps to a single command. Reading an SMTP log becomes straightforward once you recognise them.
Modern greeting. The client identifies itself and the server responds with a list of supported extensions. Use this instead of HELO on any server built in the last two decades.
Upgrade the plain connection to TLS before any credentials are sent. This command appears in the EHLO response when the server supports it. A client that skips this step sends its password in plaintext.
Authenticate the client with the server. Common mechanisms are PLAIN and LOGIN. Always happens after the STARTTLS handshake completes on a properly configured setup.
Declare the envelope sender address. This is what the receiving server uses for bounce routing. It does not have to match the From header visible in the message body.
Declare a single recipient. The server accepts or rejects this address before any message content is sent. Repeat the command to add multiple recipients.
Switch the server into message body mode. The client sends headers followed by a blank line followed by the body. A line containing only a period signals the end.
Close the session. The server acknowledges the command then closes the connection.
POP3: download and retrieve
POP3 does one thing. It lets a client connect to a mail server, download messages and remove them from the server. The model comes from a time when people checked email from a single machine. The server was a temporary holding area. The permanent copy lived locally on the client.
A POP3 session is stateful in a narrow way. Messages are identified by their position in the mailbox for the duration of the session. The client lists them, retrieves the ones it wants, marks others for deletion, then ends the session. Deletions are not applied until QUIT is issued. Nothing on the server is modified before that point.
POP3 session
+OK POP3 server ready
USER bob
+OK
PASS hunter2
+OK Mailbox locked and ready
STAT
+OK 3 14842
LIST
+OK 3 messages (14842 octets)
1 4821
2 5102
3 4919
.
RETR 1
+OK 4821 octets
... full message content including headers ...
.
DELE 1
+OK Deleted
QUIT
+OK Goodbye. 1 message deleted.
Most clients can be configured to leave copies on the server after downloading. This is an option rather than the default behaviour. It lets POP3 behave a little more like IMAP, though without any of the sync capabilities. If messages need to be accessible on multiple devices, IMAP is the better starting point.
POP3 commands
Send the username. The server acknowledges before expecting the password.
Send the password. On port 110 this travels as plaintext. Use POP3S on port 995 to avoid sending credentials in the clear.
Ask the server how many messages are in the mailbox and what the total size is in bytes.
Get a numbered list of messages with their individual sizes. The numbers are used in subsequent retrieval commands.
Download a specific message by its number. The server sends the full message including all headers.
Mark a message for deletion. Nothing is removed immediately. Deletion happens when the session ends with QUIT.
Cancel any pending deletions. Messages marked with DELE during this session are unmarked.
End the session. Any messages marked for deletion are removed at this point.
IMAP: synchronised access
IMAP was built around a different assumption: messages live on the server. Clients access them remotely. A phone, a laptop and a web browser can all look at the same inbox and see the same state. Read a message on one device and it appears as read on the others. Move a message to a folder from one client and every other client reflects the change.
This works because reading a message does not remove it from the server. The client fetches it for display but the authoritative copy stays in place. Actions taken by the client, marking as read, starring, moving to a folder, deleting, are written back to the server as flag updates rather than as purely local state changes.
IMAP message flags
\SeenThe message has been read.\AnsweredThe user replied to this message.\FlaggedMarked for attention. Most clients show this as a star.\DeletedMarked for removal. The message is not gone until the client issues an EXPUNGE command.\DraftA composed message that has not been sent yet.IMAP session fragment
* OK IMAP4rev1 server ready
A001 LOGIN bob hunter2
A001 OK Logged in
A002 SELECT INBOX
* 12 EXISTS
* 3 RECENT
A002 OK [READ-WRITE] SELECT completed
A003 FETCH 1 (FLAGS BODY[HEADER.FIELDS (FROM SUBJECT)])
* 1 FETCH (FLAGS (\Seen) BODY[HEADER.FIELDS (...)]
From: someone@example.com
Subject: Hello
)
A003 OK FETCH completed
A004 STORE 3 +FLAGS (\Seen)
* 3 FETCH (FLAGS (\Seen))
A004 OK STORE completed
A005 LOGOUT
* BYE Logging out
A005 OK LOGOUT completed
IMAP sessions are tagged. Every command the client sends starts with a unique tag so responses can be matched back to the command that produced them. This is necessary because IMAP allows the client to issue commands without waiting for each previous one to complete. POP3 has no equivalent because it works strictly in sequence.
Server-side search is another capability POP3 simply does not have. An IMAP client can ask the server to return only messages matching a given sender, date range, subject string. The server filters and returns matching message IDs. The client fetches only those. On a mailbox with thousands of messages, downloading everything locally to search through would be impractical.
SMTP vs POP3 vs IMAP
Each protocol has a specific role. The confusion usually comes from the fact that email clients present all three as a single system. Seeing the responsibilities laid out separately makes it easier to locate where a problem is likely to live.
Ports worth knowing
Email involves more ports than most protocols because each role has at minimum a plaintext port and a TLS port. SMTP adds a third because server-to-server relay and client submission serve different purposes and carry different requirements.
25SMTP relayServer-to-server mail transfer. ISPs block this port on residential connections to stop spam from compromised machines.587SMTP submissionThe port mail clients use to submit outgoing messages through an authenticated relay. Requires credentials. STARTTLS expected.465SMTPSImplicit TLS from the moment the connection opens. Originally deprecated then reinstated. Widely supported in modern clients.110POP3Plaintext POP3. Credentials and message content travel unencrypted. Avoid on any network you do not fully control.995POP3SPOP3 over TLS. The encrypted session begins immediately on connection before any credentials are exchanged.143IMAPPlaintext IMAP with STARTTLS available. The client upgrades the connection to TLS before authenticating.993IMAPSIMAP over implicit TLS. The encrypted session begins before any commands are exchanged.Port 25 is blocked by most ISPs on residential connections to prevent compromised machines from relaying spam directly. Cloud providers block it by default too. Enabling it typically requires contacting support and explaining the use case. For most applications, sending through an authenticated relay on port 587 is the practical path that sidesteps the issue entirely.
What to use when
IMAP is the right answer for most personal and business email setups today. Messages stay on the server. Every device sees the same state without any special configuration. Switching to a new client does not require migrating a local mail store that lives only on one machine.
POP3 still has its place. If you want a permanent local archive and only ever check email from one machine, it handles that simply. Some automated pipelines that read a dedicated mailbox to process incoming messages use POP3 because the download-and-delete model fits the workflow naturally. The message arrives, gets consumed, disappears from the server.
For sending, SMTP is the only option. Modern applications that need to deliver email typically do so through an authenticated relay on port 587 rather than running their own mail server. Services like Postmark, SendGrid and Amazon SES expose SMTP endpoints alongside their APIs because SMTP is the universal delivery layer that every mail system speaks.
The protocols are old enough that every rough edge is well-documented. When mail stops working, the problem usually sits at a boundary: a firewall blocking the wrong port, a certificate that expired on the submission server, a misconfigured SPF record causing a relay to reject delivery. Knowing which protocol operates on which port and what the session should look like makes that kind of diagnosis considerably faster.