diff --git a/src/backend.php b/src/backend.php
index a873db3..ef9d0f1 100644
--- a/src/backend.php
+++ b/src/backend.php
@@ -21,7 +21,7 @@ function error($status, $text) {
 }
 
 /**
- * print all mails for the given $user as a json string.
+ * print all mails for the given $user.
  * @param $username string username
  * @param $address string email address
  */
@@ -34,6 +34,7 @@ function print_emails($username, $address) {
     $mail_ids = array_merge($mailsIdsTo, $mailsIdsCc);
 
     $emails = _load_emails($mail_ids, $address);
+    header('Content-type: application/json');
     print(json_encode(array("mails" => $emails, 'username' => $username, 'address' => $address)));
 }
 
@@ -54,12 +55,42 @@ function delete_email($mailid, $address) {
     if (count($emails) === 1) {
         $mailbox->deleteMail($mailid);
         $mailbox->expungeDeletedMails();
+        header('Content-type: application/json');
         print(json_encode(array("success" => true)));
     } else {
         error(404, 'delete error: invalid username/mailid combination');
     }
 }
 
+/**
+ * download email by id and username. The $address must match the recipient in the email.
+ *
+ * @param $mailid integer imap email id (integer)
+ * @param $address string email address
+ * @internal param the $username matching username
+ */
+
+function download_email($mailid, $address) {
+    global $mailbox;
+
+    // in order to avoid https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
+    // the recipient in the email has to match the $address.
+    $emails = _load_emails(array($mailid), $address);
+    if (count($emails) === 1) {
+
+        header("Content-Type: message/rfc822; charset=utf-8");
+        header("Content-Disposition: attachment; filename=\"$address-$mailid.eml\"");
+
+        $headers = imap_fetchheader($mailbox->getImapStream(), $mailid, FT_UID);
+        $body = imap_body($mailbox->getImapStream(), $mailid, FT_UID);
+        print ($headers . "\n" . $body);
+
+    } else {
+        error(404, 'download error: invalid username/mailid combination');
+    }
+}
+
+
 /**
  * Load emails using the $mail_ids, the mails have to match the $address in TO or CC.
  * @param $mail_ids array of integer ids
@@ -107,8 +138,6 @@ function delete_old_messages() {
 }
 
 
-header('Content-type: application/json');
-
 // Never cache requests:
 header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
 header("Cache-Control: post-check=0, pre-check=0", false);
@@ -124,7 +153,9 @@ if (isset($_GET['username'])) {
     $address = $username . "@" . $config['mailHostname'];
 
     // simple router:
-    if (isset($_GET['delete_email_id'])) {
+    if (isset($_GET['download_email_id'])) {
+        download_email($_GET['download_email_id'], $address);
+    } else if (isset($_GET['delete_email_id'])) {
         delete_email($_GET['delete_email_id'], $address);
     } else {
         print_emails($username, $address);
diff --git a/src/index.html b/src/index.html
index 5bba59c..2014b3c 100644
--- a/src/index.html
+++ b/src/index.html
@@ -74,6 +74,11 @@
                     <div class="row sticky-header" ec-stickyfill>
                         <div class="col-sm-12 email-summary">{{mail.subject}}
                             <form class="form-inline float-xs-right">
+                                <a role="button" class="btn btn-sm btn-outline-primary"
+                                   href="backend.php?download_email_id={{mail.id}}&username={{$ctrl.username}}"
+                                   download="true">Download
+                                </a>
+
                                 <button ng-click="$ctrl.deleteMail(mail.id)" type="button"
                                         class="btn btn-sm btn-outline-danger">Delete
                                 </button>