RFC 1939: POP3 — Post Office Protocol Version 3

Standards Track Mail Access Protocols Published May 1996

ELI5: POP3 is like checking a physical P.O. box. You walk to the post office, open your box, take all your letters home, and the box is now empty. You read everything offline, on your own desk. It’s simple and it works — but if you check your mail from a second location, those letters are already gone. POP3 downloads messages and (by default) deletes them from the server.

Why This Exists

In the early internet, most users were not permanently connected. Dial-up connections were slow and expensive. The email architecture split into two roles:

MTA (Mail Transfer Agent): An always-on server that receives and queues mail via SMTP.
MUA (Mail User Agent): A client application that connects periodically to retrieve accumulated mail.

POP3 bridges that gap. It gives a simple, stateless way for a client to authenticate, list messages, download them, and optionally delete them from the server. It was designed to be implementable in minimal code on low-resource machines — and it succeeded. POP3 remains one of the most widely supported mail access protocols on the planet.

How It Works

Connection and States

A POP3 session passes through three sequential states:

AUTHORIZATION: The client connects (port 110, or port 995 for implicit TLS) and authenticates with a username and password.
TRANSACTION: The client issues commands to list, retrieve, and mark messages for deletion.
UPDATE: The client sends QUIT. The server performs all pending deletions and closes the connection.

A Typical POP3 Session

-- Client connects to port 995 (POP3S) --
+OK POP3 server ready
USER alice@example.com
+OK
PASS s3cretP@ss
+OK Logged in.
-- Now in TRANSACTION state --
STAT
+OK 3 12400                          ← 3 messages, 12400 octets total
LIST
+OK 3 messages
1 4200
2 3800
3 4400
.
RETR 1                                ← download message 1
+OK 4200 octets
(full RFC 5322 message content...)
.
DELE 1                                ← mark message 1 for deletion
+OK Deleted.
QUIT
+OK Bye.                              ← server deletes message 1 now

Core POP3 Commands

Command	State	Purpose
`USER` / `PASS`	AUTH	Authenticate with username and password
`APOP`	AUTH	Challenge-response authentication (avoids sending password in cleartext)
`STAT`	TRANSACTION	Get message count and total size
`LIST`	TRANSACTION	List message numbers and sizes
`RETR`	TRANSACTION	Retrieve a full message by number
`DELE`	TRANSACTION	Mark a message for deletion
`NOOP`	TRANSACTION	Keep the session alive
`RSET`	TRANSACTION	Unmark all messages marked for deletion
`TOP`	TRANSACTION	Retrieve headers plus n lines of body
`UIDL`	TRANSACTION	Get unique ID listing (used to track already-downloaded messages)
`QUIT`	Any	End the session; trigger UPDATE state

Key Technical Details

Download-and-Delete vs. Keep-on-Server

POP3's default model is download-and-delete: the client retrieves each message with RETR, then marks it with DELE, and the server removes it on QUIT. Many clients offer a "leave messages on server" option, which simply skips the DELE step. The UIDL command provides unique IDs so the client can track which messages it has already downloaded without re-downloading them.

Locking

POP3 requires an exclusive lock on the mailbox. Only one client can access a POP3 mailbox at a time. If a second client tries to connect while the first is in a TRANSACTION state, it will be rejected. This makes POP3 unsuitable for multi-device access.

No Folders, No Flags, No Search

POP3 sees a mailbox as a flat list of numbered messages. There is no concept of folders, labels, read/unread flags, or server-side search. The server is purely a message store; all organization happens on the client. This is the fundamental difference between POP3 and IMAP.

Security: APOP and TLS

The original USER/PASS authentication sends the password in cleartext. APOP uses a shared-secret MD5 challenge to avoid this, but MD5 is now considered cryptographically broken. Modern POP3 should always run over implicit TLS on port 995 (per RFC 8314) or, as a fallback, use STLS (the POP3 equivalent of STARTTLS).

Common Mistakes

Using POP3 with multiple devices. Because POP3 downloads and deletes, a phone and laptop will fight over messages. Only one device sees each message. Use IMAP or JMAP instead.
Running POP3 on port 110 without TLS. Credentials and message content traverse the network in cleartext. Always use port 995 with implicit TLS.
Relying on APOP for security. APOP uses MD5, which is vulnerable to collision and preimage attacks. TLS is the only reliable protection.
Not using UIDL for "leave on server" mode. Without UIDL, a client in "leave on server" mode has no reliable way to know which messages it already downloaded, leading to duplicates after reconnection.
Disconnecting without QUIT. If the client drops the connection without sending QUIT, the server does not enter the UPDATE state. Pending DELE commands are discarded — messages thought to be deleted will reappear.
Expecting server-side features. POP3 has no search, no flags, no folders. If your application needs any of these, POP3 is the wrong protocol.

Deliverability Impact

POP3 is a retrieval protocol, not a sending protocol. It has no direct impact on whether your outbound mail reaches inboxes. However, it affects how recipients interact with mail you send them.
Read receipts and tracking. POP3 clients download messages for offline reading. Open-tracking pixels may not fire until the user opens the message in their local client, if they load remote images at all.
Bounce processing. If you use POP3 to poll a bounce mailbox, use UIDL to avoid reprocessing bounces. Ensure your polling interval is frequent enough to process bounces promptly for list hygiene.
Inbox placement. Recipients using POP3 clients receive all messages into a flat inbox with no server-side spam filtering (unless the server filters before POP3 access). This can mean higher visibility for your messages — or more complaints if recipients feel overwhelmed.