Post Office Protocol (POP) is a standard way for your email client (like Outlook or Thunderbird) to retrieve emails from a remote server to your computer. Most people are talking about POP3, the current version, which is still widely used today.
Whether you’re just starting out in cybersecurity or you’re knee-deep in protecting networks, you’ll see POP3 pop up all the time. Want to know why it matters in security, and how it works? Read on for the breakdown, the gotchas, and the pro tips.
Post Office Protocol (POP) was created so email clients could retrieve messages from a mail server and store them on a local device for offline access. Since the mid-1980s, POP has helped users download mail and usually delete it from the server, freeing up server space and letting them read emails offline without needing a constant internet connection.
Most email clients, including the ones you know (Outlook, Thunderbird, Apple Mail, and more), support POP3 natively. The protocol’s main job is to allow you to collect your emails and keep them stored locally. This behavior is why you’ll often see coworkers say, “I lost that old email when I switched computers.” With POP3, once the mail is downloaded (unless otherwise configured), it’s removed from the server.
Why do cybersecurity pros care? Because POP’s simplicity and popularity have big implications for security, device management, forensics, and compliance.
Learn more about standard email protocols from the Federal Communications Commission.
Here’s how the protocol works, step by step:
Connect: Your email client opens a TCP connection to the POP3 server (usually on port 110, or 995 for the encrypted version).
Authenticate: The client sends your username and password to the server.
Retrieve: POP3 downloads all new emails from the server to your device.
Delete (by default): After downloading, messages are typically deleted from the server, though some clients can be set to keep a copy for a while, good for users with multiple devices.
Disconnect: You’re done! All new mail is on your device, ready for offline reading.
The main takeaway? POP3 is a “store-and-forward” protocol. It stores mail on the server, delivers it to your device, and then deletes it on the server (unless you tweak your settings).
Fun historical tidbit: The protocol started life in RFC 918 (1984), got revamped in RFC 937 (1985), and reached its dominant version, POP3, in RFC 1939 (1996).
Curious about the official specs? CheckRFC 1939 via the Internet Engineering Task Force.
While POP3 is simple and effective, it’s a magnet for certain cyber risks:
Credential Theft: Old-school POP3 logins (on port 110) often transmit username and password in plain text unless security is tightened. Attackers sniffing the network could capture these credentials with basic tools.
Local Malware Risk: Because emails (and attachments) are downloaded, infected files land straight on endpoints. If the host security is lacking, malware has a field day.
Incident Response Gaps: Since downloaded messages disappear from the server, it’s harder for incident responders to recover evidence or do forensic analysis after a breach. No server backups of old mail? That’s a problem.
Compliance Issues: Regulations like HIPAA, GLBA, and GDPR can be tricky with POP3. Deleting mail from the server automatically may conflict with retention policies required by law.
POP3 sticks around because it’s easy and doesn’t hog server space. If you:
Prefer to keep all mail on one device
Don’t need access to the same mail across phones, tablets, and laptops
…then POP3 gets the job done! Lots of backup software, like SyncBackPro, can back up mail by connecting with POP, too.
Top POP3-Enabled Clients and Services
Microsoft Outlook and Outlook Express
Mozilla Thunderbird
Apple Mail
Most ISPs’ webmail (if enabled)
Enterprise backup and archiving tools
Heads-up: Modern workflows usually push teams toward IMAP (keeps mail in sync on all devices) or cloud email (think Gmail, O365, etc.), but POP3 remains alive in legacy setups and smaller businesses.
Here’s what you need to know about POP3’s ports and security quirks:
Port 110: Default, unencrypted. Avoid anything outside totally trusted internal networks. Plain text passwords are bad news.
Port 995: POP3S (secured with SSL/TLS). Use this to encrypt traffic between the client and the server.
Default to POP3S (port 995). Never use unencrypted POP3 unless absolutely necessary.
Deploy endpoint protection (keep malware out!).
Update and filter attachments.
Train users not to open risky files.
Set policies to keep (not auto-delete) mail on the server if forensics or backups are needed.
More on secure email practices can be found atCISA’s Cybersecurity Tips.
POP3: Downloads and (usually) deletes email from server after retrieval. Great for single-device use. Doesn’t sync read, deleted, or folder states.
IMAP: Keeps email stored on the server. All changes sync across multiple devices. Good for people with lots of devices or team setups.
SMTP: The sidekick. Handles sending email only (not receiving).
Quick comparison table:
Protocol | What it Does | Typical Ports |
POP3 | Fetches email for local storage | 110, 995 |
IMAP | Fetches + syncs email across devices | 143, 993 |
SMTP | Sends outgoing email | 25, 465, 587 |
Email Attachment Threats: Viruses and malware come in through local downloads. Endpoint protections must be robust.
Weak Authentication: If left unencrypted, credentials are easy to capture.
Lack of Email Retention: Investigations and compliance needs are undermined by auto-delete settings.
Always use POP3S encryption.
Educate users about attachments and phishing.
Set email clients to keep copies on the server for designated periods.
Implement regular endpoint backups and antimalware.
Track and audit mail flows for abnormal activity.
Post Office Protocol 3 (POP3) is a simple, widely used email retrieval protocol that downloads mail from a server to a local device. For cybersecurity teams, POP3 is double-edged: convenient for users, risky for unencrypted traffic and decentralized storage. Always encourage: POP3S encryption, local protections, and setting clients to keep server copies if you need compliance-ready records.
Know your org’s workflow: If you’re stuck with POP3, document and secure every step. Push toward IMAP or cloud email for more flexibility and security, where possible.
