How to Set Up a Catch-All Email on Your Domain (and Why You Might Not Want To)
A catch-all (or wildcard) email address accepts email sent to any address on your domain — even addresses that do not exist. Someone emails typo@yourdomain.com? You get it. anything-at-all@yourdomain.com? You get that too.
Sounds convenient. But there is a significant downside.
How catch-all works
In a standard email setup, if someone emails nonexistent@yourdomain.com, the mail server returns a bounce: "this address does not exist." With a catch-all, the server accepts the email and delivers it to a designated mailbox.
The appeal
- Never miss a typo — If someone misspells your name or guesses an address, you still get the email
- Instant aliases — Give out any address on the fly (
conference2026@yourdomain.com) without creating it first - Simplicity — One rule, all addresses work
The problem: spam magnets
Catch-all addresses accept everything, including:
- Dictionary attacks — Spammers send to
admin@,info@,sales@,contact@,john@,jane@, and hundreds of other common names. With a catch-all, every single one lands in your inbox. - Scraped and guessed addresses — If your domain appears in any public record, spammers will try common prefixes. A catch-all accepts all of them.
- Bounce spam — Spammers forge your domain as the sender address. When their spam bounces, the bounce notification goes to random addresses on your domain. With a catch-all, you receive every bounce.
In practice, enabling a catch-all on a publicly known domain increases spam volume dramatically. What starts as "convenient" quickly becomes "drowning."
The alternative: on-demand aliases
Instead of accepting everything, create aliases explicitly for each purpose:
| Catch-all approach | Alias approach |
|---|---|
| Give out any address, deal with spam later | Create an alias first, give that out |
| All email goes to one inbox | Each alias routes to a specific mailbox |
| Cannot tell which addresses are "real" | Every alias has a purpose (labeled with notes) |
| Cannot disable one address without affecting others | Disable any individual alias with one click |
| No per-address spam control | Per-alias spam threshold, filters, and Shield |
With Cleanbox, creating an alias takes 10 seconds. The small overhead of creating before using gives you full control over each address — including the ability to shut it down independently.
When catch-all actually makes sense
- Brand new domain that is not public yet — spam is not an issue because nobody knows the domain exists
- Internal-only domain that does not receive external email
- Temporary testing during email migration
For any domain that receives email from the public internet, per-alias control is the better approach.
If you already have a catch-all
Disable it and create explicit aliases for every address you actually use. Check your email logs for the past 30 days to see which addresses received legitimate email — create aliases for those. Everything else was probably spam.
