What is Catch-All Email?
A catch-all email (also called wildcard email) is a configuration that accepts email sent to any address at your domain and routes it to a designated inbox. If someone sends email to anyaddress@example.com, the catch-all inbox receives it regardless of whether "anyaddress" is a configured mailbox.
How Catch-All Email Works
When an email arrives at your mail server:
1. Address Lookup: Mail server checks if recipient exists
2. Catch-All Check: If not found, server checks for catch-all rule
3. Routing: Message is delivered to the catch-all mailbox
4. No Bounce: No non-delivery report (bounce) is sent to sender
Traditional Setup:
sales@example.com → sales inbox
info@example.com → info inbox
unknown@example.com → bounce (550 No such user)
With Catch-All:
sales@example.com → sales inbox
info@example.com → info inbox
unknown@example.com → catch-all inbox ✓
typo@example.com → catch-all inbox ✓
Configuring Catch-All Email
cPanel/WHM
Email → Default Address → Set Default Address
Select: Forward to Email Address
Enter: catchall@example.com
Plesk
Mail Settings → Mail Forwarding
Enable "Redirect mail to address"
Enter destination address
Postfix (Direct Configuration)
# /etc/postfix/virtual
@example.com catchall@example.com
# Reload Postfix
postmap /etc/postfix/virtual
systemctl reload postfix
Microsoft 365
Microsoft 365 doesn't support true catch-all, but you can create:
- Shared mailbox with alias for common typos
- Transport rules to forward undeliverable mail
Google Workspace
Admin Console → Apps → Google Workspace → Gmail
→ Default Routing → Catch-all address
Enter: catchall@example.com
Use Cases for Catch-All Email
During Migration
Accept email to old addresses while migrating to new system:
Phase 1: Enable catch-all, forward to admin
Phase 2: Monitor and create real mailboxes as needed
Phase 3: Disable catch-all once migration complete
Small Organizations
Simplify email management when you have few staff members who can handle any inquiry.
Typo Protection
Capture common misspellings:
support@example.com → Real mailbox
suport@example.com → Caught
suppport@example.com → Caught
Development/Testing
Accept test emails without configuring each address:
test-user1@dev.example.com → dev catch-all
test-user2@dev.example.com → dev catch-all
Advantages of Catch-All Email
| Benefit | Description |
|---|---|
| Never miss messages | Typos don't result in bounces |
| Simpler setup | No need to create every mailbox |
| Flexibility | Use any email address on-the-fly |
| Discover needs | Learn what addresses people expect |
Disadvantages and Risks
Spam Volume
Spammers target non-existent addresses. Catch-all accepts everything:
Without catch-all: 100 spam attempts → 95 bounced
With catch-all: 100 spam attempts → 100 delivered
Result: Massive increase in spam volume.
Backscatter and Blacklisting
Your server accepts spam, then later rejects it. This creates backscatter (bounces to forged senders) and can blacklist your IP.
Storage Issues
Unlimited email addresses = unlimited storage consumption.
Security Risks
Attackers use catch-all to verify valid domains:
Test: random@example.com
Response: Accepted (catch-all exists) vs Rejected (no catch-all)
Email Authentication Complications
Catch-all can interfere with SPF/DKIM/DMARC validation for forwarded messages.
Catch-All Alternatives
Alias-Based Approach
Create specific aliases for expected variations:
sales@example.com → main-sales@example.com
sale@example.com → main-sales@example.com
sales-team@example.com → main-sales@example.com
Smart Routing Rules
Configure rules for common patterns:
*-support@example.com → support queue
*-billing@example.com → billing queue
Contact Form
Replace email addresses with web forms that route internally.
Best Practices
Use Catch-All Temporarily
Enable only during specific periods (migration, event) rather than permanently.
Implement Aggressive Spam Filtering
SpamAssassin threshold: 3.0 (stricter than default 5.0)
Greylisting: enabled
DNSBL checks: multiple lists
Monitor Catch-All Volume
Track what's being caught:
# Count catch-all deliveries by address
grep "catch-all" /var/log/mail.log | \
awk '{print $7}' | sort | uniq -c | sort -rn | head -20
Create Real Mailboxes for Frequent Addresses
If monitoring shows legitimate patterns, create proper mailboxes:
# If you see:
150 messages → careers@example.com (caught)
# Action:
Create careers@example.com as real mailbox
Remove from catch-all pattern
Subdomain Catch-All Only
Limit catch-all to subdomains, not your primary domain:
example.com → No catch-all
test.example.com → Catch-all enabled
staging.example.com → Catch-all enabled
Daily Cleanup
Automate spam removal:
# Delete spam from catch-all daily
find /var/mail/catchall -type f -name "*spam*" -mtime +1 -delete
Detecting if a Domain Uses Catch-All
Email verification services test with random addresses:Send to: random-test-12345@example.com
If accepted: Likely catch-all
If rejected: No catch-all
SMTP conversation test:
telnet mx1.example.com 25
HELO test.com
MAIL FROM: <test@test.com>
RCPT TO: <nonexistent-random@example.com>
# 250 OK = catch-all exists
# 550 No such user = no catch-all
Security Considerations
Email Enumeration
Catch-all prevents attackers from discovering valid addresses, but also prevents legitimate verification.
Sender Reputation
High spam acceptance can damage your domain's sender reputation, affecting legitimate outbound email.
Compliance Issues
GDPR and data retention policies may require you to reject unwanted email rather than accept everything.
When to Use Catch-All
✅ Good use cases:
- Temporary migration periods
- Internal/development domains
- Very small organizations (< 5 people)
- Event-specific domains with limited lifespan
❌ Avoid for:
- High-traffic production domains
- E-commerce or customer-facing brands
- Domains handling sensitive data
- Organizations with compliance requirements
Catch-all email is a double-edged sword: convenient but risky. Use sparingly and with strong spam protection.