What is a catch-all email address? (And why it breaks email verification)

• Is a catch-all email a real mailbox? Sometimes yes, sometimes no. The domain accepts every address; whether anyone reads it depends on internal routing.
• Why do companies enable catch-all? To avoid losing mail addressed to typos, former employees, or auto-generated addresses (noreply+order123@).
• Why does it matter for email verification? Standard SMTP checks return 'valid' for every catch-all address, which is technically true at the SMTP layer but useless as a deliverability signal.

A standard mail server rejects unknown addresses at the SMTP RCPT TO step. The sender gets a 550 5.1.1 User unknown response and the message never enters the queue. This rejection is what email verifiers rely on: probe the address, read the response, label valid or invalid.

A catch-all server does the opposite. It accepts every RCPT TO, queues the message, then decides what to do with it after delivery — forward to a fallback inbox, drop silently, scan for known patterns. The sender sees 250 OK either way.

Catch-all is enabled on the receiving server, not on the sender's side. You can't tell from the address itself; you can only detect it by probing the domain with a deliberately invalid local part and checking whether the server accepts it.

Three reasons keep coming up in r/sysadmin discussions:

Capturing typos and former-employee mail. A customer types [email protected] instead of support@; a former employee's contacts still email the old address. Catch-all routes both to a fallback inbox so nothing is lost.

Plus-addressing and auto-generated routes. Companies that issue addresses like [email protected] for each support thread don't want to pre-create every mailbox. Catch-all handles them implicitly.

Smaller IT teams. Maintaining an exhaustive list of valid mailboxes is overhead. Catch-all lets a small admin team enable employees to spin up email aliases without filing tickets.

The trade-off is spam exposure. Every catch-all domain is a magnet for dictionary attacks, where spammers send to thousands of guessed addresses knowing all will be accepted. Most catch-all domains compensate with strong post-acceptance filtering.

The third row is the one that matters for senders. On a normal domain, sending to an invalid address generates an immediate bounce and you can suppress that contact. On a catch-all, the address is accepted at SMTP, the message vanishes inside the receiving server, and your verifier still says 'valid.'

Email verifiers run four checks: syntax, MX records, SMTP handshake, and reputation lookups. The SMTP handshake is the one that normally tells you whether a mailbox exists. On a catch-all domain, that signal is destroyed by design — every probe returns positive.

A naive verifier that reports the SMTP result as the final verdict will mark every catch-all address as valid. The address might be real. It might be a typo nobody reads. It might be a former employee's mailbox that auto-deletes everything. SMTP can't tell the difference.

This is why a serious verifier surfaces catch-all status as a separate signal, not as a binary verdict. user.cleaning's verifier returns is_catch_all: true alongside the category — Grey list by default, with the supporting signals (MX provider, domain age, mailbox-pattern match) exposed so you can score by your own threshold. The full mechanics are in the catch-all email verifier guide.

You can manually check whether a domain is catch-all in five steps:

1. Pick a clearly invalid address: [email protected].
2. Open a terminal and run dig MX target-domain.com to find the receiving server.
3. Telnet or use swaks to send HELO, MAIL FROM, RCPT TO for the test address.
4. Read the response. 550 means normal; 250 means catch-all.
5. Repeat with a real address ([email protected]) — both should return 250 on a catch-all.

This works for diagnostic purposes but isn't viable at scale. For lists, user.cleaning's free verifier runs the same probe automatically and adds the secondary signals.

The honest answer is: it depends on the source of the address. A catch-all address that came from a contact form submission, a tradeshow signup, or a verified data provider is usually a real person. The same address scraped from a third-party list is much riskier.

Three things to weigh:

• Source quality — was the address self-submitted, enriched from a paid provider, or scraped?
• Domain reputation cost — are you in domain warmup, or sending from a well-warmed sender?
• Volume — at low volume, an extra 5% bounce rate may not cross your provider's threshold.

The conservative default for cold outreach: suppress catch-all unless the mailbox pattern matches the company's known format and the domain has positive engagement history.

From a thread on r/emailmarketing where a sender posted bounce-rate metrics across two campaigns:

'I stopped trusting our verifier on catch-all and started filtering them out completely. Bounce rate went from 2.1% to 0.9%. Yes, I lost 30% of my list, but the responses on what remained more than made up for it.'

The same pattern shows up in industry-wide list audits: a meaningful share of B2B contacts come back as risky or catch-all in any verification pass, with no clean answer for that bucket from SMTP alone.