+If nmh has been compiled with APOP #defined, the `\-apop' switch will cause
+\fImsgchk\fR to use APOP rather than standard POP3 authentication. Under APOP,
+a unique string (generally of the format
+<\fIpid\fR.\fItimestamp\fR@\fIhostname\fR>) is announced by the POP server.
+Rather than `USER \fIuser\fR', `PASS \fIpassword\fR', msgchk sends `APOP
+\fIuser\fR \fIdigest\fR', where digest is the MD5 hash of the unique string
+followed by a `secret' shared by client and server, essentially equivalent to
+the user's password (though an APOP-enabled POP3 server could have separate APOP
+and plain POP3 passwords for a single user). `\-noapop' disables APOP in cases
+where it'd otherwise be used.
+
+If nmh has been compiled with KPOP #defined, the `\-kpop' switch will allow
+\fImsgchk\fR to use Kerberized POP rather than standard POP3 on a given
+invocation. If POPSERVICE was also #defined to "kpop", \fImsgchk\fR will be
+hardwired to always use KPOP.
+
+If nmh has been compiled with SASL support, the `\-sasl' switch will enable
+the use of SASL authentication. Depending on the SASL mechanism used, this
+may require an additional password prompt from the user (but the
+\*(lq.netrc\*(rq file can be used to store this password). The
+`\-saslmech' switch can be used to select a particular SASL mechanism.
+
+If SASL authentication is successful, \fIinc\fR will attempt to negotiate
+a security layer for session encryption. Encrypted traffic is labelled
+with `(encrypted)' and `(decrypted)' when viewing the POP transaction
+with the `\-snoop' switch.