Our catch-all mailbox is overflowing with spam, can we turn it off?
Catch-all (all non-existing addresses on the domain go somewhere) was useful in the 2000s, now mostly a spam amplifier. Spammers brute-force john@, info@, sales@ and you receive everything. Better: only accept existing addresses, hard-bounce the rest at SMTP level.
Try this first
- 1List which aliases you really need: info@, sales@, support@, postmaster@, abuse@. Often four or five addresses, done.
- 2Disable catch-all in M365 (off by default) or your hosting mail panel. Unknown local parts get 5.1.1 mailbox not found.
- 3For postmaster@ and abuse@ (RFC 2142): they must exist and be read. A shared mailbox or IT distribution group.
- 4If older mail still hits non-existing addresses, check mail logs. Sometimes a legitimate vendor still writes @oldalias, fix that separately.
- 5Turning off catch-all loses the dispensable-alias trick (random alias per service for tracking). If you need that, use plus-addressing (info+netflix@yourdomain.com).
When to bring us in
On a legacy domain with hundreds of unknown addresses (M&A legacy), graceful phase-out with logging beats a hard cutover.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.