Catch-All Email

Email & Security
An email setup that routes all addresses at a domain to a single inbox, even if the address does not exist.
← Back to Glossary

What is Catch-All Email?

A catch-all email (also called wildcard email) is a configuration that accepts email sent to any address at your domain and routes it to a designated inbox. If someone sends email to anyaddress@example.com, the catch-all inbox receives it regardless of whether "anyaddress" is a configured mailbox.

How Catch-All Email Works

When an email arrives at your mail server:

1. Address Lookup: Mail server checks if recipient exists

2. Catch-All Check: If not found, server checks for catch-all rule

3. Routing: Message is delivered to the catch-all mailbox

4. No Bounce: No non-delivery report (bounce) is sent to sender

Traditional Setup:

sales@example.com → sales inbox

info@example.com → info inbox

unknown@example.com → bounce (550 No such user)

With Catch-All:

sales@example.com → sales inbox

info@example.com → info inbox

unknown@example.com → catch-all inbox ✓

typo@example.com → catch-all inbox ✓

Configuring Catch-All Email

cPanel/WHM

Email → Default Address → Set Default Address

Select: Forward to Email Address

Enter: catchall@example.com

Plesk

Mail Settings → Mail Forwarding

Enable "Redirect mail to address"

Enter destination address

Postfix (Direct Configuration)

# /etc/postfix/virtual

@example.com catchall@example.com

# Reload Postfix

postmap /etc/postfix/virtual

systemctl reload postfix

Microsoft 365

Microsoft 365 doesn't support true catch-all, but you can create:

Google Workspace

Admin Console → Apps → Google Workspace → Gmail

→ Default Routing → Catch-all address

Enter: catchall@example.com

Use Cases for Catch-All Email

During Migration

Accept email to old addresses while migrating to new system:

Phase 1: Enable catch-all, forward to admin

Phase 2: Monitor and create real mailboxes as needed

Phase 3: Disable catch-all once migration complete

Small Organizations

Simplify email management when you have few staff members who can handle any inquiry.

Typo Protection

Capture common misspellings:

support@example.com   → Real mailbox

suport@example.com → Caught

suppport@example.com → Caught

Development/Testing

Accept test emails without configuring each address:

test-user1@dev.example.com  → dev catch-all

test-user2@dev.example.com → dev catch-all

Advantages of Catch-All Email

BenefitDescription
Never miss messagesTypos don't result in bounces
Simpler setupNo need to create every mailbox
FlexibilityUse any email address on-the-fly
Discover needsLearn what addresses people expect

Disadvantages and Risks

Spam Volume

Spammers target non-existent addresses. Catch-all accepts everything:

Without catch-all: 100 spam attempts → 95 bounced

With catch-all: 100 spam attempts → 100 delivered

Result: Massive increase in spam volume.

Backscatter and Blacklisting

Your server accepts spam, then later rejects it. This creates backscatter (bounces to forged senders) and can blacklist your IP.

Storage Issues

Unlimited email addresses = unlimited storage consumption.

Security Risks

Attackers use catch-all to verify valid domains:

Test: random@example.com

Response: Accepted (catch-all exists) vs Rejected (no catch-all)

Email Authentication Complications

Catch-all can interfere with SPF/DKIM/DMARC validation for forwarded messages.

Catch-All Alternatives

Alias-Based Approach

Create specific aliases for expected variations:

sales@example.com       → main-sales@example.com

sale@example.com → main-sales@example.com

sales-team@example.com → main-sales@example.com

Smart Routing Rules

Configure rules for common patterns:

*-support@example.com  → support queue

*-billing@example.com → billing queue

Contact Form

Replace email addresses with web forms that route internally.

Best Practices

Use Catch-All Temporarily

Enable only during specific periods (migration, event) rather than permanently.

Implement Aggressive Spam Filtering

SpamAssassin threshold: 3.0 (stricter than default 5.0)

Greylisting: enabled

DNSBL checks: multiple lists

Monitor Catch-All Volume

Track what's being caught:

# Count catch-all deliveries by address

grep "catch-all" /var/log/mail.log | \

awk '{print $7}' | sort | uniq -c | sort -rn | head -20

Create Real Mailboxes for Frequent Addresses

If monitoring shows legitimate patterns, create proper mailboxes:

# If you see:

150 messages → careers@example.com (caught)

# Action:

Create careers@example.com as real mailbox

Remove from catch-all pattern

Subdomain Catch-All Only

Limit catch-all to subdomains, not your primary domain:

example.com           → No catch-all

test.example.com → Catch-all enabled

staging.example.com → Catch-all enabled

Daily Cleanup

Automate spam removal:

# Delete spam from catch-all daily

find /var/mail/catchall -type f -name "*spam*" -mtime +1 -delete

Detecting if a Domain Uses Catch-All

Email verification services test with random addresses:
Send to: random-test-12345@example.com

If accepted: Likely catch-all

If rejected: No catch-all

SMTP conversation test:
telnet mx1.example.com 25

HELO test.com

MAIL FROM: <test@test.com>

RCPT TO: <nonexistent-random@example.com>

# 250 OK = catch-all exists

# 550 No such user = no catch-all

Security Considerations

Email Enumeration

Catch-all prevents attackers from discovering valid addresses, but also prevents legitimate verification.

Sender Reputation

High spam acceptance can damage your domain's sender reputation, affecting legitimate outbound email.

Compliance Issues

GDPR and data retention policies may require you to reject unwanted email rather than accept everything.

When to Use Catch-All

Good use cases:

Avoid for:

Catch-all email is a double-edged sword: convenient but risky. Use sparingly and with strong spam protection.

Put This Knowledge to Work

Use DomScan's API to check domain availability, health, and more.