Back in 2012, when I built the email logging app for Highrise CRM and later for Salesforce CRM the only way to access Gmail was IMAP. To be exact, it was Google’s IMAP implementation called “GIMAP” that allowed to access Gmail message attributes like threadId, messageId, labels. Labels were also represented as IMAP folders (kinda virtual) and essentially you just needed to scan the ‘All Mail’ and ‘Sent Mail’ folders to get all emails.
Later on I discovered that OAuth2 could be used instead of username/password with GIMAP. See XOAUTH2 protocol. That was pretty cool as it allowed smoother user experience! So we implemented OAuth2 in our Gmail connector.
Then in 2014 Gmail opened up their new Gmail API and recommended all developers to move to the new API and off of IMAP. I believe around that time Gmail web app got a setting to activate IMAP optionally and around 2015 we saw some clients with the IMAP disabled. So we quickly migrated to Gmail API and were pretty happy with the new API.
In October 2018 Google announced significant changes around access to Gmail data. Specifically, reading email was assigned the ‘restricted’ status and required a 3rd party security assessment to get your app verified by Google’s OAuth team. Only two security companies (later three) were allowed to perform the assessments and their services were expensive, $15k-$75k. These changes were considered prohibitively expensive by many developers and probably killed a good number of apps.
Fortunately for B2B apps working with G Suite clients there was still a way to continue their business without the formal Google OAuth verification of the restricted scopes. The app developers who built trust with their clients could ask them to set up special access to Gmail API through a G Suite service account. This is a viable approach which has other advantages for apps like syncs that need uninterrupted offline access to many mailboxes. Companies like Salesforce used this kind of configuration for their Lightning Sync and then Einstein Activity Capture. Our Yoxel Sync app adopted this approach too.
One limitation of the service account-based approach is the inability to utilize a singular PubSub configuration for Gmail push events. As a result, you might find yourself needing to employ mailbox polling as an alternative.
In January 2022, Google introduced the OAuth Client ID allowlisting feature for G Suite. This is a convenient way for G Suite admins to allow trusted apps to access their Gmail accounts. See this example.
So, here is the situation for app developers now and why GIMAP is still in demand:
- If you’re an established platform that can’t compromise on the OAuth flow experience for your users, or if the majority of your users possess personal @gmail.com accounts, you’ll need to undergo Google’s ‘restricted scope’ OAuth verification process. This entails security firm assessments, potentially costing between $15k-$75k. Note, Google now defines the process on their CASA site. Additionally, there’s a tier allowing self-testing (Developer Tested - Lab Verified), which might be a more affordable option.
- If all of your Gmail clients are G Suite domain users, you can request their G Suite admin to either add your app to the allow-list or provision service-account based access. Many companies, such as Salesforce, Workato, and Yoxel, have adopted this approach.
- If you manage numerous personal @gmail.com accounts, there’s essentially no way to use OAuth2, and hence Gmail API, without obtaining verification from Google. This is why IMAP remains in demand. For many developers, it represents the most cost-effective method to access Gmail accounts. Gmail users can configure a special app password and use it for the IMAP connection.
Aurinko
Whether you’re looking to manage service account access to Gmail or prefer IMAP-based access, Aurinko has got you covered. With its unified Email API, the platform bridges the gap between various access methods, providing a consistent and efficient approach to email integration.
Choose Aurinko’s Email API and drive greater engagement and success for your app.