What Is a Catch-All (Accept-All) Email?
A catch-all (aka “accept-all”) mailbox is a mail server configuration that accepts every incoming email addressed to its domain, whether the local part exists or not:
Postfix example
In /etc/postfix/virtual
you might have:
@example.com [email protected]
which tells Postfix “deliver any mail for @example.com
to [email protected]
.”
Because the server never rejects unknown addresses, SMTP never returns a 550/“User unknown” error. From an email-verification standpoint, this makes the domain unverifiable: you can’t tell if [email protected]
is real or just a route to the catch-all box.
Why Do Organizations Use Catch-All?
Typo Resilience (Small Biz)
Scenario: A one-person consultancy doesn’t want to miss leads if someone mistypes
.con
instead of.com
.Benefit: All “near miss” addresses still route to a single inbox, reducing lost inquiries.
Distribution & Security (Large Orgs)
Scenario: Universities or government agencies publish generic addresses (
info@
,help@
) but staff rotate frequently.Benefit: Central intake inboxes funnel all mail for on-boarding, off-boarding, or compliance filters.
Advanced Spam Management
Scenario: A company uses a catch-all as the first line of defense, then filters or quarantines messages internally.
Benefit: Allows pre-screening of questionable mail without rejecting anything at the SMTP layer.
The SMTP & DNS Reality Behind Catch-All
1. DNS MX Lookup
Any mail-sender library (e.g. Python’s dnspython
, Go’s net.LookupMX
) performs:
import dns.resolver
answers = dns.resolver.resolve('example.com', 'MX')
for rdata in answers:
print(f'Host {rdata.exchange} with priority {rdata.preference}')
If MX records exist, the domain appears legitimate. But MX alone can’t reveal accept-all behavior.
2. SMTP Handshake
After resolving MX, you connect to port 25 (or 587/465) and speak SMTP:
EHLO yourdomain.com
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
If the server returns
550 5.1.1 User unknown
:
The address is definitively invalid.If it returns
250 OK
for every RCPT:
That’s classic catch-all behavior.
Note: Some Secure Email Gateways (SEGs) will respond 250 OK
even for spam traps or blocked senders, then silently drop the email later.
How to Detect Catch-All with Tomba’s Email Verifier
Tomba’s verifier automates these steps and combines them with other checks. Here’s what happens under the hood when you hit our API or UI:
Syntax Check
Validates against RFC 5322 patterns.Disposable Domain Check
Rejects known throwaway providers (e.g.mailinator.com
).MX Record Lookup
Ensures the domain has at least one MX record.SMTP Probe
Connects to port 25 (or alternative ports if 25 is blocked).
Executes
EHLO
,MAIL FROM
,RCPT TO
sequence.Interprets response codes.
Catch-All Detection
Sends two probes: one to a known valid address (if available) and one to a random address.
If both succeed, flags
accept_all=true
.
You can try it out now:
🔗 Web UI: Tomba Email Verifier
📑 API Docs: Tomba Email Verifier API
Sample Code: SMTP Catch-All Check in Python
Below is a simplified snippet to illustrate the core logic—never send real emails when verifying; always use VRFY
or RCPT TO
probes.
import socket
def check_catchall(mx_host, domain):
sock = socket.create_connection((mx_host, 25), timeout=10)
file = sock.makefile('rw', newline='\r\n')
file.write(f'EHLO verifier.tomba.io\r\n')
file.flush()
file.readline() # skip greeting lines
# Mail from
file.write('MAIL FROM:<[email protected]>\r\n')
file.flush()
file.readline()
# RCPT to random address
random_user = 'doesnotexist' + str(int(time.time())) + '@' + domain
file.write(f'RCPT TO:<{random_user}>\r\n')
file.flush()
response = file.readline()
file.write('QUIT\r\n')
file.flush()
sock.close()
return response.startswith('250')
# Usage
answers = dns.resolver.resolve('example.com', 'MX')
mx = sorted(answers, key=lambda x: x.preference)[0].exchange.to_text()
is_catchall = check_catchall(mx, 'example.com')
print('Catch-all:', is_catchall)
Secure Email Gateways (SEG) & Why They Complicate Verification
Modern enterprises often sit behind an SEG. Popular solutions include:
Proofpoint
Mimecast
Cisco Secure Email
Fortinet FortiMail
Trend Micro Email Security
Sophos Email Security
Microsoft Defender for Office 365
Barracuda Email Security
These act as a “mail proxy”:
Ingress Filtering
Spam, phishing, and malware are blocked.
Custom Policies (DLP, Encryption)
Emails matching certain keywords are dropped or quarantined.
SMTP Response Masking
Some SEGs return
250 OK
for all RCPT, then silently discard disallowed mail.
When you probe with RCPT TO
, you may get a false positive (250) even if the final MTA will never deliver the message.
Why “No Bounce” ≠ “Valid”
Use case: You send a test email to [email protected]
and it never bounces. Yet Tomba flags it invalid. What gives?
Silent Drops by Google Workspace / Office 365
Administrators can configure:No NDRs for unknown senders
No bounces for disabled accounts
Whitelisting/blacklisting rules
Quarantine / Junk Hold
The mail is accepted but never delivered to the end user’s Inbox.Graymail & Greylisting
Temporarily defers mail from new senders to fight spam bursts.
Because of this, observing a bounce is an unreliable indicator of invalidity. Instead, Tomba uses non-intrusive SMTP-level checks that never risk triggering anti-SPF/DKIM/DMARC policies.
When a “Valid” Address Still Bounces
Scenario: Tomba marked [email protected]
as valid, but your campaign reports a 5% bounce.
Possible causes:
Sender Reputation & IP Blacklists
ESPs (Mailchimp, SendGrid) or your private ESP may be on a DNSBL.Cold-Email Blocking
Many MTAs throttle or block messages from new senders.Dynamic Policies
The recipient may employ a “send-once, block-later” strategy.Post-Check User Deletion
The mailbox was deleted after Tomba’s last check.
Best Practices for Outreach with Catch-All Domains
Sender Setup | Catch-All Safe? |
Self-hosted SMTP with dedicated IP & DKIM | ✅ Yes, if your IP has positive reputation |
Major ESP (Mailchimp, SendGrid, etc.) | ⚠️ Use with caution; catch-all may mask bounces and trigger penalties |
Transactional-only services (e.g. Postmark) | ✅ Generally safe; they maintain high deliverability |
Warm Up Your IP & Domain
Gradually increase daily volumes; segment lists by engagement.Use Double Opt-In Where Possible
Let users confirm subscription before sending cold outreach.Monitor Feedback Loops
Set up abuse@ reporting and track complaint rates.Leverage Tomba’s Bulk Verifier
Always scrub lists through Tomba Bulk Verifier to identify catch-alls before sending.
Advanced: RFC & MTA Configurations
RFC 5321 (Simple Mail Transfer Protocol)
Defines theRCPT TO
command and response codes.Postfix Catch-All Configuration
/etc/postfix/virtual:
@example.com [email protected]
postmap /etc/postfix/virtual
systemctl reload postfixExim Router
catchall:
driver = redirect
domains = +local_domains
data = catchall@${domain}Sendmail Alias
Add to/etc/aliases
:@example.com: catchall
then
newaliases
.
Putting It All Together: Tomba’s Unified Approach
Tomba combines:
Distributed Verifier Network
Multiple global IPs to bypass regional blocks.Segmented SMTP Probes
Fallback ports (587, 465) when port 25 is firewalled.Heuristic Engine
– Greylisting timers
– DLP/SEG signature detectionContinuous Learning
Real-time feedback from user campaigns to refine algorithms.
Our average accuracy is ≈ 99 %, and we surface detailed reasons for each result:
{
"email": "[email protected]",
"reachable": "true",
"has_mx_records": true,
"accept_all": true,
"message": ""
}
Summary & Next Steps
Catch-all domains accept every RCPT, making individual addresses untestable via standard SMTP rejects.
Enterprises often combine catch-all with SEGs, leading to false positives on live probes.
Tomba’s Email Verifier leverages multi-step SMTP/DNS checks plus heuristics to accurately flag catch-all and protect your deliverability.
Always pre-clean your lists, warm up your IP, and monitor deliverability metrics.
👉 Ready to dive deeper?
Try it free: Tomba Email Verifier
Integrate via API: Tomba Verifier API Docs
Bulk List Cleaning: Bulk CSV Upload
Got questions or need help? Drop us a line at [email protected] or join our community on LinkedIn. We’re here to make your outreach smarter, safer, and far more effective!