Skip to main content

Catch-All Mailbox: Setup Patterns That Don’t Create a Mess

 

Enabling a catch-all mailbox transforms your domain from a closed, secure system into an open intake valve. By default, a mail server rejects unknown recipients with a 550 User Unknown error at the SMTP edge. A catch-all forces the server to reply 250 OK to everything — spam, phishing, and Directory Harvest Attacks (DHA).

Without strict architectural guardrails, this setup destroys domain reputation and buries legitimate leads. You risk becoming a backscatter source, getting your IP blacklisted, and drowning in noise.

For a forensic breakdown of why these setups fail, read Catch-All Email: Why It Looks Simple — and Why It Becomes an Ops Problem (2026).

If you must run a catch-all to capture typos or legacy traffic, do not route it to a human inbox. Use one of the following three isolation patterns.

The Golden Rule: Isolation

Never route catch-all traffic directly to a primary user’s inbox.

Catch-all traffic is inherently dirty. It bypasses Directory-Based Edge Blocking (DBEB), meaning your server accepts the payload before validating the recipient. Mixing this stream with high-priority mail (ceo@company.com) creates a security blind spot.

Pattern 1: The “Quarantine Sink” (Microsoft 365 / Exchange)

This is the standard for high-volume environments. The goal is to accept the mail for legal/discovery purposes but immediately deprioritize it so it does not trigger notifications.

The Architecture:

  1. Ingest: The server accepts mail for unknown recipients.
  2. Tag: The Transport Rule identifies the message as outside the organization and not for a valid user.
  3. Suppress: The rule sets the Spam Confidence Level (SCL) to 9 (High Confidence Spam).
  4. Store: The message is routed to a Shared Mailbox (catchall-sink@).

Implementation:

In Microsoft 365, you must set the domain to “Internal Relay” (disabling DBEB) and use PowerShell or the Exchange Admin Center (EAC).

PowerShell Configuration:

# 1. Create the Sink (Shared Mailbox — No License Required)
New-Mailbox -Shared -Name “CatchAll Sink” -PrimarySmtpAddress catchall-sink@yourdomain.com
# 2. Create the Transport Rule
New-TransportRule -Name “Catch-All Routing & Suppression” `
-FromScope “NotInOrganization” `
-SentTo “catchall-sink@yourdomain.com” `
-RedirectMessageTo “catchall-sink@yourdomain.com” `
-SetSCL 9 `
-ExceptIfRecipientBelongsTo “All Valid Users Group”

Why SCL 9?
 If you do not set the SCL, the catch-all mailbox will fill with notifications. SCL 9 forces the mail into the Junk folder. You review this folder weekly, not hourly.

Pattern 2: The “Tagged Stream” (Postfix / Linux)

For solo operators running their own stack (Postfix/Dovecot), a separate mailbox may be overkill. The alternative is header injection and client-side filtering.

The Architecture:

  1. Ingest: luser_relay accepts the message.
  2. Modify: The MTA injects a header (X-Catch-All: True) or modifies the Subject.
  3. Filter: Sieve rules or Outlook rules move the message to a “Potential Leads” folder.

Postfix Configuration:

# /etc/postfix/main.cf
# Map unknown local users to a specific alias
luser_relay = catchall_alias
# /etc/postfix/virtual
# Ensure the alias maps to a real user

catchall_alias realuser@yourdomain.com

Warning: luser_relay only works for the local domain. If you host multiple virtual domains, you must use virtual_alias_maps with a wildcard:

# /etc/postfix/virtual

@example.com realuser@example.com

Client-Side Filter (Sieve):
 Do not rely on your eyes to filter this. Use a rule.

if header :contains “X-Original-To” “catchall_alias” {
fileinto “Junk/CatchAll”;
stop;
}

Pattern 3: The “Partial Wildcard” (Regex Routing)

The most sophisticated pattern avoids the “accept everything” problem. Instead of a true wildcard (*@domain.com), you accept only specific patterns. This blocks high-risk targets like admin@ or hr@ while allowing dynamic marketing addresses.

The Architecture:
 You configure the MTA to accept sales-.*@domain.com (e.g., sales-webinar, sales-q1) but reject everything else.

Implementation (Google Workspace):

  1. Navigate to Apps > Google Workspace > Gmail > Default Routing.
  2. Specify Envelope Recipients: Select “Pattern Match”.
  3. Regex: ^sales-.*@yourdomain\.com$
  4. Action: Change envelope recipient to sales-team@yourdomain.com.

Result:

  • Sender types sales-promo@yourdomain.com -> Accepted (250 OK).
  • Sender types admin@yourdomain.com -> Rejected (550 User Unknown).

This drastically reduces the attack surface for Directory Harvest Attacks.

The “Loop of Death” Risk

The single most critical failure mode in catch-all setups is the routing loop.

The Scenario:

  1. Catch-all accepts mail for ghost@domain.com.
  2. Rule auto-forwards it to external@gmail.com.
  3. Gmail rejects it (SPF/DMARC failure).
  4. Gmail sends a bounce (NDR) back to ghost@domain.com.
  5. Catch-all accepts the bounce.
  6. Rule forwards the bounce to external@gmail.com.

The Consequence:
 This creates an infinite loop until the MaxHopCount is exceeded. You will see error codes like 5.4.14 Hop count exceeded or 5.4.6 Routing loop detected.

Prevention:

  1. Check Headers: Ensure your MTA respects X-Loop or Delivered-To headers.
  2. Block Auto-Replies: Configure the catch-all rule to never forward messages with Auto-Submitted: auto-generated headers.
  3. Microsoft 365 Guardrail: Microsoft’s outbound spam policy often blocks external forwarding by default, resulting in 5.7.520 Access denied. You must explicitly enable forwarding in the Outbound Spam Filter Policy, but doing so increases your risk of being blocked for backscatter.

The Root Cause is Pricing, Not Technology

Most businesses enable catch-alls to avoid “Per-User Taxes.” If you need support@, billing@, and jobs@, but don’t want to pay Google or Microsoft $18/month for three extra seats, the catch-all feels like a clever hack.

It is not a hack; it is technical debt.

TrekMail solves the pricing problem, removing the need for the architectural risk.

  • Pooled Storage: We don’t charge per user. You get a pool of storage (e.g., 50GB) to share across as many mailboxes as you need.
  • Legitimate Aliases: Create support@ and billing@ as real aliases or mailboxes. They exist in the directory, so they accept mail legitimately.
  • Edge Rejection: Because these are real addresses, we can reject invalid recipients (550 User Unknown) at the edge, protecting your domain reputation.

If you are an MSP managing 100 domains, or a business that just wants professional email without the per-seat markup, stop fighting with Regex and Transport Rules.

Stop fighting DNS. Try TrekMail for free.

Labels:
Location: United States

Comments

Post a Comment

Popular posts from this blog

Email Isn’t an App — It’s Operations: What Breaks First When You Manage Multiple Domains

Most people think email is "solved." It’s old (1971), it’s ubiquitous, and mostly, it’s boring. Until it isn't.   The moment you start managing email for a real business—handling custom domains, setting up mailboxes for employees, or routing inbound traffic—you learn a blunt lesson: Email isn’t an app. It’s operations. You can ship a beautiful UI for creating mailboxes in a weekend. But you cannot ship reliability in a weekend. Reliability is the product. This is a practical look at the invisible infrastructure "chain of custody" that breaks when you move beyond a simple Gmail account, and what I learned about the grim reality of SMTP, DNS, and deliverability while building an ops-first email platform.   The Stack You Don't See When a user says "email," they picture an inbox. When an operator looks at email, they see a hostile environment. A single message delivery relies on a fragile chain: DNS : The phonebook (MX) and the...
9 comments
Read more

Forward Email to Another Address: What You Can Break (and How to Avoid It)

You set up a forwarding rule. You send a test email. It arrives. You think you’re done. You aren’t. In 2026, "forwarding" is not a passive pipe; it is an active SMTP relay operation that fundamentally alters the chain of custody. When you forward email to another address, you are inserting your server as a "Man-in-the-Middle." To modern receivers like Gmail, Outlook, and Yahoo, a poorly configured forward looks identical to a spoofing attack. If you do not understand the distinction between the Envelope Sender (P1) and the Header Sender (P2), your forwards will fail. They won't just bounce; they will be silently dropped, or worse, they will burn the reputation of your domain. This guide deconstructs the mechanics of forwarding, the specific error codes you will see when it breaks, and how to architect a solution that survives strict DMARC policies. For a complete architectural breakdown, refer to our pillar guide: Email Forwarding: How It Works, How to S...
13 comments
Read more

Email Forwarding Not Working: The Step-by-Step Debug Checklist (Fast Triage)

  Email forwarding fails because modern security protocols (SPF, DKIM, DMARC) are designed to stop it. To a receiving server, a forwarded email looks identical to a spoofed email: a server that isn't the original sender is attempting to deliver mail on their behalf. When forwarding breaks, you rarely get a clear error. You get silence. This guide provides a rapid triage workflow to isolate the failure, followed by a forensic checklist to fix the root cause. For a deep dive into the mechanics of SRS and ARC, refer to our core documentation: Email Forwarding: How It Works, How to Set It Up, and How to Fix It When It Breaks (2026) . The 60-Second Triage: Identify the Symptom Do not guess. Categorize the failure behavior immediately to determine the fix. Symptom Behavior Likely Culprit Immediate Action The Bounce (NDR) Sender receives a 5xx error immediately. Policy Block or Invalid Address Read the SM...
12 comments
Read more