Skip to main content

What is an Accept All means?

Understand what "Accept All" means, clarifying its implications for email verification processes .

Tomba.io Team avatar
Written by Tomba.io Team
Updated this week

What Is a Catch-All (Accept-All) Email?

A catch-all (aka “accept-all”) mailbox is a mail server configuration that accepts every incoming email addressed to its domain, whether the local part exists or not:

Postfix example
In /etc/postfix/virtual you might have:

@example.com    [email protected]

which tells Postfix “deliver any mail for @example.com to [email protected].”

Because the server never rejects unknown addresses, SMTP never returns a 550/“User unknown” error. From an email-verification standpoint, this makes the domain unverifiable: you can’t tell if [email protected] is real or just a route to the catch-all box.


Why Do Organizations Use Catch-All?

  1. Typo Resilience (Small Biz)

    • Scenario: A one-person consultancy doesn’t want to miss leads if someone mistypes .con instead of .com.

    • Benefit: All “near miss” addresses still route to a single inbox, reducing lost inquiries.

  2. Distribution & Security (Large Orgs)

    • Scenario: Universities or government agencies publish generic addresses (info@, help@) but staff rotate frequently.

    • Benefit: Central intake inboxes funnel all mail for on-boarding, off-boarding, or compliance filters.

  3. Advanced Spam Management

    • Scenario: A company uses a catch-all as the first line of defense, then filters or quarantines messages internally.

    • Benefit: Allows pre-screening of questionable mail without rejecting anything at the SMTP layer.


The SMTP & DNS Reality Behind Catch-All

1. DNS MX Lookup

Any mail-sender library (e.g. Python’s dnspython, Go’s net.LookupMX) performs:

import dns.resolver

answers = dns.resolver.resolve('example.com', 'MX')
for rdata in answers:
print(f'Host {rdata.exchange} with priority {rdata.preference}')

If MX records exist, the domain appears legitimate. But MX alone can’t reveal accept-all behavior.


2. SMTP Handshake

After resolving MX, you connect to port 25 (or 587/465) and speak SMTP:

EHLO yourdomain.com
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
  • If the server returns 550 5.1.1 User unknown:
    The address is definitively invalid.

  • If it returns 250 OK for every RCPT:
    That’s classic catch-all behavior.

Note: Some Secure Email Gateways (SEGs) will respond 250 OK even for spam traps or blocked senders, then silently drop the email later.


How to Detect Catch-All with Tomba’s Email Verifier

Tomba’s verifier automates these steps and combines them with other checks. Here’s what happens under the hood when you hit our API or UI:

  1. Syntax Check
    Validates against RFC 5322 patterns.

  2. Disposable Domain Check
    Rejects known throwaway providers (e.g. mailinator.com).

  3. MX Record Lookup
    Ensures the domain has at least one MX record.

  4. SMTP Probe

    • Connects to port 25 (or alternative ports if 25 is blocked).

    • Executes EHLO, MAIL FROM, RCPT TO sequence.

    • Interprets response codes.

  5. Catch-All Detection

    • Sends two probes: one to a known valid address (if available) and one to a random address.

    • If both succeed, flags accept_all=true.

You can try it out now:


Sample Code: SMTP Catch-All Check in Python

Below is a simplified snippet to illustrate the core logic—never send real emails when verifying; always use VRFY or RCPT TO probes.

import socket

def check_catchall(mx_host, domain):
sock = socket.create_connection((mx_host, 25), timeout=10)
file = sock.makefile('rw', newline='\r\n')
file.write(f'EHLO verifier.tomba.io\r\n')
file.flush()
file.readline() # skip greeting lines

# Mail from
file.write('MAIL FROM:<[email protected]>\r\n')
file.flush()
file.readline()

# RCPT to random address
random_user = 'doesnotexist' + str(int(time.time())) + '@' + domain
file.write(f'RCPT TO:<{random_user}>\r\n')
file.flush()
response = file.readline()
file.write('QUIT\r\n')
file.flush()
sock.close()

return response.startswith('250')

# Usage
answers = dns.resolver.resolve('example.com', 'MX')
mx = sorted(answers, key=lambda x: x.preference)[0].exchange.to_text()
is_catchall = check_catchall(mx, 'example.com')
print('Catch-all:', is_catchall)

Secure Email Gateways (SEG) & Why They Complicate Verification

Modern enterprises often sit behind an SEG. Popular solutions include:

  • Proofpoint

  • Mimecast

  • Cisco Secure Email

  • Fortinet FortiMail

  • Trend Micro Email Security

  • Sophos Email Security

  • Microsoft Defender for Office 365

  • Barracuda Email Security

These act as a “mail proxy”:

  1. Ingress Filtering

    • Spam, phishing, and malware are blocked.

  2. Custom Policies (DLP, Encryption)

    • Emails matching certain keywords are dropped or quarantined.

  3. SMTP Response Masking

    • Some SEGs return 250 OK for all RCPT, then silently discard disallowed mail.

When you probe with RCPT TO, you may get a false positive (250) even if the final MTA will never deliver the message.


Why “No Bounce” ≠ “Valid”

Use case: You send a test email to [email protected] and it never bounces. Yet Tomba flags it invalid. What gives?

  1. Silent Drops by Google Workspace / Office 365
    Administrators can configure:

    • No NDRs for unknown senders

    • No bounces for disabled accounts

    • Whitelisting/blacklisting rules

  2. Quarantine / Junk Hold
    The mail is accepted but never delivered to the end user’s Inbox.

  3. Graymail & Greylisting
    Temporarily defers mail from new senders to fight spam bursts.

Because of this, observing a bounce is an unreliable indicator of invalidity. Instead, Tomba uses non-intrusive SMTP-level checks that never risk triggering anti-SPF/DKIM/DMARC policies.


When a “Valid” Address Still Bounces

Scenario: Tomba marked [email protected] as valid, but your campaign reports a 5% bounce.

Possible causes:

  1. Sender Reputation & IP Blacklists
    ESPs (Mailchimp, SendGrid) or your private ESP may be on a DNSBL.

  2. Cold-Email Blocking
    Many MTAs throttle or block messages from new senders.

  3. Dynamic Policies
    The recipient may employ a “send-once, block-later” strategy.

  4. Post-Check User Deletion
    The mailbox was deleted after Tomba’s last check.


Best Practices for Outreach with Catch-All Domains

Sender Setup

Catch-All Safe?

Self-hosted SMTP with dedicated IP & DKIM

✅ Yes, if your IP has positive reputation

Major ESP (Mailchimp, SendGrid, etc.)

⚠️ Use with caution; catch-all may mask bounces and trigger penalties

Transactional-only services (e.g. Postmark)

✅ Generally safe; they maintain high deliverability

  1. Warm Up Your IP & Domain
    Gradually increase daily volumes; segment lists by engagement.

  2. Use Double Opt-In Where Possible
    Let users confirm subscription before sending cold outreach.

  3. Monitor Feedback Loops
    Set up abuse@ reporting and track complaint rates.

  4. Leverage Tomba’s Bulk Verifier
    Always scrub lists through Tomba Bulk Verifier to identify catch-alls before sending.


Advanced: RFC & MTA Configurations

  • RFC 5321 (Simple Mail Transfer Protocol)
    Defines the RCPT TO command and response codes.

  • Postfix Catch-All Configuration

    /etc/postfix/virtual:
    @example.com [email protected]
    postmap /etc/postfix/virtual
    systemctl reload postfix
  • Exim Router

    catchall:
    driver = redirect
    domains = +local_domains
    data = catchall@${domain}
  • Sendmail Alias
    Add to /etc/aliases:

    @example.com: catchall

    then newaliases.


Putting It All Together: Tomba’s Unified Approach

Tomba combines:

  1. Distributed Verifier Network
    Multiple global IPs to bypass regional blocks.

  2. Segmented SMTP Probes
    Fallback ports (587, 465) when port 25 is firewalled.

  3. Heuristic Engine
    – Greylisting timers
    – DLP/SEG signature detection

  4. Continuous Learning
    Real-time feedback from user campaigns to refine algorithms.

Our average accuracy is ≈ 99 %, and we surface detailed reasons for each result:

{
"email": "[email protected]",
"reachable": "true",
"has_mx_records": true,
"accept_all": true,
"message": ""
}

Summary & Next Steps

  • Catch-all domains accept every RCPT, making individual addresses untestable via standard SMTP rejects.

  • Enterprises often combine catch-all with SEGs, leading to false positives on live probes.

  • Tomba’s Email Verifier leverages multi-step SMTP/DNS checks plus heuristics to accurately flag catch-all and protect your deliverability.

  • Always pre-clean your lists, warm up your IP, and monitor deliverability metrics.


👉 Ready to dive deeper?

Got questions or need help? Drop us a line at [email protected] or join our community on LinkedIn. We’re here to make your outreach smarter, safer, and far more effective!

Did this answer your question?