Port 995 carries POP3S traffic: the Post Office Protocol version 3, wrapped in TLS encryption. Every time your email client connects to download messages over an encrypted connection using POP3, it's speaking through this port. Port 995 is the locked door to your inbox.
What Port 995 Does
When you configure an email client to retrieve messages using POP3 with encryption, it connects to port 995. The moment the TCP connection establishes, a TLS handshake begins immediately. No negotiation. No "should we encrypt?" dance. Just security from the first byte.
This is called implicit TLS, and it's the key distinction between port 995 and its unencrypted sibling, port 110. On port 110, your email client connects in plaintext and might later ask to upgrade the connection using the STLS command. On port 995, encryption isn't optional — it's the only way in.
The protocol itself is simple: your client authenticates, requests messages, downloads them, and typically deletes them from the server. POP3 was designed for a world where you grabbed your mail and took it home.
The History: From Dial-Up to Download
The story of port 995 begins in 1984, when Joyce K. Reynolds published RFC 9181, describing the first Post Office Protocol. The intent was beautifully practical: let a workstation access mail from a server, download it, and work offline.
This was the dial-up era. Internet connections were metered by the minute. The idea of keeping your email on a remote server and accessing it continuously was absurd — you'd go bankrupt. POP was designed for the reality of its time: connect, grab your messages, disconnect, read in peace.
The protocol evolved through POP2 (RFC 937, 1985) and reached its mature form with POP3, first defined in RFC 1081 (1988) and then standardized as RFC 19392 in May 1996 by John G. Myers of Carnegie Mellon and Marshall T. Rose of Dover Beach Consulting. This RFC remains the authoritative specification today.
But there was a problem. A serious one.
The Security Problem POP3S Solved
Original POP3 transmitted everything in plaintext. Your username. Your password. Every word of every email. Anyone sitting on the network between you and the mail server could read it all.
RFC 25953, published in June 1999, attempted to address this by defining STARTTLS for POP3 — a command that would upgrade an existing plaintext connection to encrypted. But STARTTLS had its own problems. Because the connection starts unencrypted, an attacker controlling the network could modify server responses to hide the fact that TLS was available. This became known as the STRIPTLS attack.4
Port 995 takes the opposite approach: implicit TLS. The connection is encrypted from the start. There's no opportunity for a downgrade attack because plaintext was never an option.
RFC 83145, published in January 2018, made the recommendation official: "Cleartext Considered Obsolete." The document explicitly recommends implicit TLS on port 995 over STARTTLS on port 110. The Internet's email infrastructure had finally caught up with what should have been obvious all along.
How POP3S Works
A POP3S session progresses through three states:
AUTHORIZATION: The client identifies itself. The server verifies the credentials. This is where usernames and passwords travel — safely encrypted inside the TLS tunnel.
TRANSACTION: The client requests actions. STAT returns the number of messages and their total size. LIST shows individual message sizes. RETR retrieves a message. DELE marks it for deletion.
UPDATE: When the client sends QUIT, the server actually deletes the messages marked for deletion and closes the connection.
The elegance is in the simplicity. POP3 doesn't track read states, doesn't sync folders, doesn't support searching on the server. It does one thing: deliver your mail and get out of the way.
POP3S vs. IMAPS: Two Philosophies
Port 995 (POP3S) and port 993 (IMAPS) both retrieve email securely, but they represent fundamentally different philosophies.
POP3S assumes your email belongs on your device. Download it, delete it from the server, own it forever. This was perfect for the dial-up era and remains useful when you want local control, offline access, or need to keep server storage minimal.
IMAPS assumes your email belongs in the cloud. Keep it on the server, sync it across devices, search it remotely. This matches how most people use email today — on a phone, a laptop, a tablet, expecting everything to stay in sync.
Neither is wrong. They're answers to different questions about where your data should live.
Security Considerations
Port 995 provides transport security, but that security depends on proper configuration:
TLS Version: Servers must support modern TLS (1.2 or 1.3). Older versions like SSL 3.0 are vulnerable to attacks like POODLE6, which exploits weaknesses in the encryption padding. TLS 1.0 and 1.1 are deprecated.
Certificate Validation: Clients must verify the server's certificate. Self-signed or expired certificates create opportunities for man-in-the-middle attacks.
Authentication: Even over TLS, weak passwords remain weak. The encryption protects the password in transit, but a compromised password is still compromised.
Server Configuration: Many servers still support unencrypted POP3 on port 110 for backward compatibility. If a client is misconfigured to use port 110, none of port 995's protections apply.
The Shadowserver Foundation regularly reports on vulnerable POP3 services7, and the numbers are sobering. Many operators still allow unencrypted access to email, exposing credentials and content to anyone watching the wire.
Related Ports
| Port | Protocol | Description |
|---|---|---|
| 110 | POP3 | Unencrypted email retrieval — your password in plaintext |
| 143 | IMAP | Unencrypted mailbox access and sync |
| 993 | IMAPS | IMAP over implicit TLS — port 995's synchronized cousin |
| 25 | SMTP | Sending mail between servers |
| 465 | SMTPS | Sending mail with implicit TLS |
| 587 | Submission | Sending mail from clients, typically with STARTTLS |
Frequently Asked Questions
The Encrypted Post Office
Port 995 is what port 110 should have been from the start. It's the same simple protocol — connect, authenticate, download, disconnect — but finally wrapped in the encryption that passwords and private correspondence deserve.
There's something almost quaint about POP3 in the age of cloud email. It assumes you want to take your messages home, store them on your own machine, keep them forever in your own filing system. The post office delivers; what you do with your mail after that is your business.
Port 995 carries that philosophy forward, secured. Every password that doesn't fly across the wire in plaintext. Every inbox that stays private. Every email your grandmother downloaded and kept forever on her desktop, filed in folders she understood, backed up on drives she controlled.
That's port 995. The encrypted post office. Still delivering after forty years.
Was this page helpful?