MDL Security

Last Updated: Sep 8, 2025

Support for TLS

The program supports TLS 1.2+ over IMAP and POP3 for transport security when connecting to a mail server. Only connections presenting valid certificates are accepted. This is turned on by default for most common mail servers and you can configure this if you are connecting to your own server. The program does not support the less secure STARTTLS protocol.

Support for OAuth or modern authentication

The program fully supports standards-based OAuth 2.0 also sometimes referred to as modern authentication.

The program, when using OAuth, will not know or store your password, instead the program stores a long-lived token instead of your password on the system that you can revoke by resetting your password on your email cloud provider or removing access in your email cloud provider.

The program defaults to OAuth for all popular email services such as Gmail, Outlook and Office 365.

Custom application registration (or app-only access)

Alternative to using end-user based OAuth (where the end user is granting permissions to their account), you can optionally choose to provide a tenant id, client id and client secret in the app's Settings -> Custom App Registration tab for a given Account. This is also called the client credentials flow in the OAuth standard.

This is usually not recommended for native applications where end users use the program, however, you may choose to do this if this is running 24x7 as a Windows service for a specific purpose within a secure system (eg. native or cloud-based) to further control security. The benefit of this is that token revocation issues like password resets causing the program to require the user to re-authenticate will not be an issue. However, it also means that the client credentials need to be carefully provisioned and secured.

This will require you to register this program as a custom application in your email cloud provider (eg. Microsoft 365, Google etc.). Doing so will require you to provide necessary permissions (called scopes) to the program for it to function. You can then restrict scopes and further control what the program has access to.

To find out which scopes you need to provide the app access to, open the settings for the account from inside the program (Settings button next to the Account dropdown), and locate the Permissions tab. You will find the Requested and Granted scopes. Make sure the application has access to all the Requested scopes at a minimum.

Application password support

Alternative to using OAuth, you can use a custom application password generated by you and configured within your email provider for this application. This is less secure than OAuth, however, you may choose to do so if the circumstances require it. The program will still use TLS 1.2+ to connect and send the application password over that secure connection to authenticate itself.

If using this option, you will be entering this custom application password instead of your account password in the program to authenticate with the email provider.

Secure storage of passwords and tokens

Moreover, all credential information (like passwords or tokens) are securely stored in the windows credential manager for the account on the Windows user account (or service) and system where the software is installed. That is, they can't be accessed or tampered with without the right authorization to access the Windows account (or service credentials).

Logging and external communications

No credential information (such as passwords or tokens) are logged on the system or sent elsewhere. For example, when you enable verbose logging, your password or tokens are never logged in the logging files. All logs are only locally stored on the system where this is installed.

Moreover, there are no instances where the program will communicate any sensitive information such as credential information to any external party, servers or entities outside of the system where it is installed except to the mail server that requires those credentials.

With the PRO versions you can turn off analytics that the program collects. We use analytics only to track how you use program for the purpose of fixing or improving our products and services. Analytics does not track sensitive information such as the contents of documents, emails, tokens or passwords.

Please refer to our Privacy Policy for more information about how we use your data.

End User License Agreement

Please refer to our End User License Agreement for more information about software use.

Privacy Policy