A catch-all email address receives any email sent to your domain that doesn't match an existing mailbox. If someone emails typo@yourdomain.com or oldaddress@yourdomain.com, a catch-all ensures those messages don't bounce, they land somewhere you can read them. It sounds like a safety net, but it comes with serious tradeoffs worth understanding before you enable it.
When an email server receives a message, it checks whether the recipient address matches a known mailbox. If there's no match and no catch-all configured, the server returns a 550 bounce (user not found) to the sender. With a catch-all configured, the server accepts any message for your domain and routes it to a designated inbox instead of bouncing.
In cPanel, you set this under Email > Default Email Address. You can route unmatched mail to a specific mailbox, forward it to an external address, discard it silently, or respond with a failure message. In Google Workspace and Microsoft 365, the equivalent is a "catch-all" routing rule in the admin console.
You're migrating from old email addresses. If you've rebranded or reorganised your email structure, a catch-all catches messages sent to old addresses for a transition period. This is the strongest legitimate use case. Set it up during the migration, monitor it for 3–6 months, then disable it once traffic to old addresses drops off.
You use custom email aliases for tracking. Some businesses create unique addresses per vendor or subscription (e.g., amazon-orders@yourdomain.com, newsletter-nytimes@yourdomain.com). With a catch-all, you can use any address at your domain without pre-creating it. If that address starts receiving spam, you know which service leaked it.
You have a high-value domain with predictable typos. If your domain is short and commonly mistyped, a catch-all captures genuine messages from people who transposed letters in your address. For a small business where every lead matters, this is a reasonable tradeoff.
The most significant problem with catch-all addresses is spam. Spammers use "dictionary attacks", sending email to thousands of randomly-generated addresses at your domain (aaaa@, aaab@, admin@, billing@, etc.) hoping some will be valid. Without a catch-all, the server rejects all invalid addresses, and spammers quickly abandon your domain. With a catch-all, everything is accepted, and your catch-all inbox floods with junk within days of enabling it.
This isn't just an inbox management problem. Accepting large volumes of spam can affect your mail server's reputation, consume storage, and overload your spam filter. If the catch-all inbox is monitored by a person, the signal-to-noise ratio makes it nearly impossible to identify genuine misaddressed emails.
Catch-all addresses cause a secondary problem for businesses that send email to your domain. Email list validation services (NeverBounce, ZeroBounce, etc.) verify addresses by checking whether a server will accept them. A catch-all server accepts everything, so validators can't distinguish valid from invalid addresses at your domain. This means your domain may be flagged as "unverifiable" and excluded from certain mailing list hygiene tools.
It also makes it impossible for senders to know if they have a valid address for you. If someone types your email wrong and you have a catch-all, they'll never get a bounce notification telling them their message didn't reach the right person. They may think they've sent to you when in fact you never saw the message in the expected mailbox.
Use aliases instead. If you want multiple addresses without creating multiple full mailboxes, set up explicit aliases. info@, hello@, sales@ can all forward to the same inbox. This gives you flexibility without accepting all possible addresses.
Set up a time-limited catch-all for migrations. If you're migrating, enable catch-all for a defined period (3–6 months), then disable it. Monitor the inbox weekly during that period and add any legitimate addresses you find as proper aliases on the new system.
Use a discard catch-all. If your main concern is preventing NDR (non-delivery report) spam, configure the catch-all to silently discard unmatched mail rather than deliver it. This stops bounce storms without filling an inbox. It does mean genuine misaddressed emails are lost, but for most businesses that's an acceptable tradeoff.
Log into cPanel and navigate to Email > Default Email Address. Select your domain from the dropdown. Choose either "Forward to Email Address" (enter a real mailbox to receive unmatched mail) or "Discard and send an error to sender" (returns a failure message). Save the setting, it takes effect immediately with no DNS changes required.
In Google Workspace: Admin Console > Apps > Google Workspace > Gmail > Default routing. Create a routing rule that matches "Recipient doesn't match any user" and routes to a designated mailbox. In Microsoft 365: Exchange Admin Center > Mail flow > Rules, create a rule with condition "Recipient is not a member of" your domain's mailboxes.
HostBible hosting plans include full email management via cPanel, create mailboxes, set up aliases, configure catch-all rules, and manage DNS records all in one place.
View Hosting Plans