The program supports TLS over IMAP and POP3 for transport security when connecting to a mail server. Only connections presenting valid certificates are accepted. This is turned on by default for most common mail servers and you can configure this if you are connecting to your own server. The program does not support the less secure STARTTLS protocol (refer here for reasons this is insecure).
For Gmail the program supports OAuth in that we only store a long-lived token instead of your password on the system. To enable OAuth in Gmail, you will need to *disable* access to less secure apps.
Moreover, all credential information (like passwords or tokens) are securely stored in the windows credential manager for the account on your local machine. That is, they can't be accessed or tampered with without the right authorization.
No credential information (such as passwords or tokens) are logged on the system or sent elsewhere. For example, when you enable verbose logging, your password or tokens are never logged in the logging files. Moreover, there are no instances where the program will communicate any credential information to any external party, servers or entities outside of the system where it is installed except to the mail server that requires the credentials.
In addition to this, you can enable two factor authentication for most mail service providers, in which case you will generate an application specific password. For gmail, refer here to generate an app specific password.