- July 2026 Cutoff: Microsoft will block POP3 and IMAP4 connections to Exchange Online that negotiate TLS 1.0 or 1.1 starting in July 2026.
- Protocol Floor: After the cutoff, only TLS 1.2 or higher will be accepted on the affected POP3 and IMAP4 endpoints.
- Affected Population: Customers who explicitly opted into the legacy endpoints, including embedded devices and printers with frozen TLS libraries, are most exposed.
- Remediation Window: Operators have roughly fourteen months to upgrade clients to TLS 1.2 or 1.3 or front them with a current-protocol relay.
Microsoft will block legacy TLS connections starting in July 2026 on POP3 and IMAP4 endpoints in Exchange Online, closing the opt-in window it kept open for outdated email clients. Microsoft confirmed the cutoff in a Exchange Tech Community post.
From that cutoff, POP3 and IMAP4 connections that still negotiate TLS 1.0 or 1.1 will fail outright, ending a multi-year opt-in endpoint that kept legacy clients alive. Microsoft says the majority of POP and IMAP traffic already uses TLS 1.2 or higher, but legacy applications, embedded devices, and custom integrations still on the older protocols will need to be updated or replaced before the cutoff arrives.
The July 2026 Cutoff
Microsoft will fully deprecate legacy TLS support for POP3 and IMAP4, citing the protocols’ long-standing industry deprecation and weakened security posture. After the cutoff, those connections will require TLS 1.2 or later; anything still negotiating TLS 1.0 or 1.1 will be rejected by the service.
Microsoft says modern email clients already support TLS 1.2, and that the majority of POP and IMAP traffic to Exchange Online today already runs on those newer protocols. Microsoft scoped the impact narrowly in the same post: “Our expectation is that only customers who have explicitly opted into using those legacy endpoints are impacted by the deprecation.”
Microsoft built the impacted endpoint as a dedicated opt-in path for customers running POP3 and IMAP4 clients without TLS 1.2 support, treating it as a transitional accommodation rather than a permanent option. Authentication to that endpoint will stop working in July 2026 once the legacy TLS handshake is refused at the service edge. Customers who never enrolled in the opt-in path are unaffected because their existing POP3 and IMAP4 sessions already negotiate TLS 1.2 or higher and will continue to authenticate against the same Exchange Online endpoints after the cutoff.
A Multi-Year Wind-Down
Microsoft ended TLS 1.0 and 1.1 support in 2020 for the broader Exchange Online service and signalled in 2023 that it would extend the policy to POP3 and IMAP4 clients. July 2026 now closes that loop. Inside the company, the cutoff continues a wider Windows TLS wind-down that has been running across Windows and cloud surfaces for several years, most recently when Microsoft removed TLS 1.0 and 1.1 from Azure Blob Storage in February 2026.
Both protocols are old: TLS 1.0 was published in 1999 and TLS 1.1 in 2006, and both were formally deprecated in 2021. Major browser vendors had already converged on the same conclusion years earlier, when Microsoft, Apple, Google, and Mozilla announced plans to deprecate legacy TLS 1.0 and 1.1 in October 2018, originally targeting the first half of 2020. Browser-side enforcement landed in that window; server-side mail protocols have taken longer because POP3 and IMAP4 deployments often depend on long-lived client libraries embedded in scanners, ticketing systems, and mail-relay scripts that are rarely repackaged.
After July 2026, no opt-in escape hatch will remain for POP3 or IMAP4 in Exchange Online, and customers still negotiating TLS 1.0 or 1.1 against those endpoints will see authentication attempts rejected at the protocol layer.
Who Should Act
Multifunction printers with scan-to-email, point-of-sale terminals, industrial gateways, and custom mail-fetching scripts make up the population of devices likely to break: products that ship with frozen TLS libraries and rarely receive firmware updates. After the cutoff, legacy applications and embedded devices may stop connecting to Exchange Online over POP3 or IMAP4 unless their TLS stacks are updated to 1.2 or higher.
Operators unsure of their exposure can audit POP and IMAP client configuration for the negotiated TLS version, then consult application and device vendors for upgrade paths. Where vendor patches are unavailable, mail-relay or proxy hosts running a current TLS 1.2 or 1.3 stack can sit between the legacy device and Exchange Online to handle the modern handshake on the device’s behalf. Microsoft also points at standing NSA guidance on outdated TLS versions as a baseline for replacing weak stacks on POP3 and IMAP4 clients.
Operators have roughly fourteen months (until July 2026) to inventory POP3 and IMAP4 clients still negotiating TLS 1.0 or 1.1, upgrade them to TLS 1.2 or 1.3, or front them with a current-protocol relay. After that, Exchange Online will refuse the legacy handshake at the service edge and authentication on those accounts will break.
