Accessing Gmail via IMAP using App Passwords
Recently, I've been feeling quite overwhelmed, so I decided to write some notes to shift my focus and, incidentally, leave a record for my apprentice.
Introduction
In the modern cybersecurity landscape, an increasing number of mail servers no longer support accessing emails via the IMAP protocol using direct user account passwords. For example: Deprecation of Basic authentication in Exchange Online and Gmail's control over access for less secure apps.
I haven't had the opportunity to work with Microsoft Exchange, so I conducted research specifically for Gmail.
Enabling IMAP Service
If you search for articles online, you might see instructions to enable the IMAP service in Gmail settings. However, according to the official documentation on Adding Gmail to other email clients:
Starting in January 2025, the "Enable IMAP" or "Disable IMAP" options will no longer be available. Gmail will always have IMAP access enabled, and current connections to other email clients will not be affected. You do not need to take any action.
Therefore, there is no need to configure the IMAP service separately anymore.
Enabling 2-Step Verification
Before creating an App Password, you must first enable 2-Step Verification for your Google account:
- Go to Google Account / Security.
- Find "2-Step Verification" in the "How you sign in to Google" section.
- Set up a second step verification option. Currently, the following methods are available:
- Passkeys and security keys: Create a passkey on your current device to sign in to your Google account securely using fingerprints, face recognition, screen lock, or a security key.
- Google Prompt: When signing in on a new device, Google can send a confirmation prompt to all phones where you are signed in. You need to tap the prompt to confirm that you are the one signing in.
- Authenticator: You can obtain verification codes through an authenticator app, eliminating the need to wait for SMS codes.
- Phone number: Google will send a verification code to the configured phone number via SMS or voice call.
- Backup codes: You can generate a set of backup codes for sign-in; each code can only be used once.
If none are set up, Google will likely guide you to set up the second step using a phone number, which is actually the most convenient method.
Creating an App Password
- Create an App Password via App Passwords.
- The system will verify your account permissions using your account's second-step verification method. For example, if you have set up a phone number, Google will send an SMS to your phone, and you will need to enter the received verification code.
- Once verified, you will enter the page to manage App Passwords.
- Enter a custom app name in the input box under "To set up a new app password, enter it below...". This is for identification purposes only.
- Click "Create". Google will provide a 16-character password as the App Password and display the following message:
How to use it
Go to the "Settings" page of your account in the app or on the device where you want to set up your Google account, and replace your password with the 16-character password above.
This App Password grants full access to your Google account, just like your regular password. You do not need to remember this password, so please do not write it down or share it with anyone.
- Copy this password (please note that this password will only be displayed once, so be sure to save it).
Basic Information for Gmail IMAP Settings
The following is the basic information required to connect to the Gmail IMAP protocol:
- IMAP Server: imap.gmail.com
- Port: 993
- Encryption Method: SSL/TLS
- Username: Your full Gmail address (e.g., [email protected])
- Password: App Password (not your Gmail password)
Change Log
- 2025-03-05 Initial document created.